[Webkit-unassigned] [Bug 38680] New: FloatRect::enclosingIntRect performs unsafe type conversion float -> int
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 6 13:20:13 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=38680
Summary: FloatRect::enclosingIntRect performs unsafe type
conversion float -> int
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: Mac OS X 10.5
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: SVG
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: wjmaclean at chromium.org
Steps to Reproduce:
Render the attached SVG file (mask-excessive-malloc.svg, from the existing
layout tests directory)
Actual output: dumping the render tree gives
layer at (0,0) size 800x600
RenderView at (0,0) size 800x600
layer at (0,0) size 800x600
RenderSVGRoot {svg} at (0,0) size 800x600
RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox]
[maskContentUnits=userSpaceOnUse]
RenderPath {rect} at (0,0) size 0x0 [fill={[type=SOLID] [color=#FFFFFF]}]
[data="M0.00,0.00 L2147483648.00,0.00 L2147483648.00,2147483648.00
L0.00,2147483648.00 Z"]
RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID]
[color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00
L200.00,400.00 Z"]
[masker="mask"] RenderSVGResourceMasker {mask} at (190,180) size
214748364800.00x429496729600.00
Expected output: the render tree should look like (note size of first
RenderPath object):
layer at (0,0) size 800x600
RenderView at (0,0) size 800x600
layer at (0,0) size 800x600
RenderSVGRoot {svg} at (0,0) size 800x600
RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox]
[maskContentUnits=userSpaceOnUse]
RenderPath {rect} at (0,0) size 800x600 [fill={[type=SOLID]
[color=#FFFFFF]}] [data="M0.00,0.00 L2147483648.00,0.00
L2147483648.00,2147483648.00 L0.00,2147483648.00 Z"]
RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID]
[color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00
L200.00,400.00 Z"]
[masker="mask"] RenderSVGResourceMasker {mas
Additional information:
The underlying cause appears to be an unsafe float-> int conversion in
FloatRect::enclosingIntRect, where static_cast<int> is used on a float outside
the range representable by int.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list