[Webkit-unassigned] [Bug 65858] New: OOB Read in WebCore::SVGAnimationElement

Mon Aug 8 08:37:13 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=65858

           Summary: OOB Read in WebCore::SVGAnimationElement
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
               URL: http://www.bogotobogo.com/svg_source/rollingpath.svg
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: kenrb at chromium.org
                CC: zimmermann at kde.org

Created an attachment (id=103254)
 --> (https://bugs.webkit.org/attachment.cgi?id=103254&action=review)
SVG animation crash repro

Upstreaming bug filed against Chromium: http://code.google.com/p/chromium/issues/detail?id=73030

Seeing crashes from B-Spline animation with certain properties. The provided URL and the attached file crash the renderer in slightly different ways.

This was analyzed for security implications and is not thought to have any, other than simple renderer crash.

I have a fix for this.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.