[Webkit-unassigned] [Bug 38684] New: Incorrect RenderPath object size when large coordinate values encountered

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu May 6 13:32:05 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=38684

           Summary: Incorrect RenderPath object size when large coordinate
                    values encountered
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: wjmaclean at chromium.org


Steps to Reproduce:

Render the attached SVG file (mask-excessive-malloc.svg, from the existing
layout tests directory)

Actual output: dumping the render tree gives

layer at (0,0) size 800x600
  RenderView at (0,0) size 800x600
layer at (0,0) size 800x600
  RenderSVGRoot {svg} at (0,0) size 800x600
    RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox]
[maskContentUnits=userSpaceOnUse]
      RenderPath {rect} at (0,0) size 0x0 [fill={[type=SOLID] [color=#FFFFFF]}]
[data="M0.00,0.00 L2147483648.00,0.00 L2147483648.00,2147483648.00
L0.00,2147483648.00 Z"]
    RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID]
[color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00
L200.00,400.00 Z"]
      [masker="mask"] RenderSVGResourceMasker {mask} at (190,180) size
214748364800.00x429496729600.00

Expected output: the render tree should look like (note size of first
RenderPath object):


layer at (0,0) size 800x600
  RenderView at (0,0) size 800x600
layer at (0,0) size 800x600
  RenderSVGRoot {svg} at (0,0) size 800x600
    RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox]
[maskContentUnits=userSpaceOnUse]
      RenderPath {rect} at (0,0) size 800x600 [fill={[type=SOLID]
[color=#FFFFFF]}] [data="M0.00,0.00 L2147483648.00,0.00
L2147483648.00,2147483648.00 L0.00,2147483648.00 Z"]
    RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID]
[color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00
L200.00,400.00 Z"]
      [masker="mask"] RenderSVGResourceMasker {mas

Chromium 5.0.395.0 (46220)

Additional information:

The underlying cause appears to be an unsafe float-> int conversion in
FloatRect::enclosingIntRect, where static_cast<int> is used on a float outside
the range representable by int.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list