[Webkit-unassigned] [Bug 65858] OOB Read in WebCore::SVGAnimationElement
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Aug 9 13:24:55 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=65858
--- Comment #6 from Ken Buchanan <kenrb at chromium.org> 2011-08-09 13:24:55 PST ---
(In reply to comment #5)
Thanks for the review.
> What's the condition for index >= m_keySplines.size(), when does that happen?
>
index is calculated based on the m_keyTimes array, which may or may not match the size of m_keySplines. These are obtained from the user data, so we need somewhere a check that they are in sync. It shouldn't happen but it can with invalid data.
> Shouldn't we rather guarantee that if m_keyTimes.size() > 1, that m_keySplines.size() is always m_keyTimes.size() - 1 ?
> If there's such a mismatch we could clear m_keySplines/keyTimes instead of keeping "invalid states" around and checking for them in various places (calculatePercentFromKeyPoints/currentValuesForValuesAnimation/updateAnimation). Seems too fragile for me.
>
> What do you think?
This was my first thought, but it seemed awkward doing this in parseMappedAttribute() because you can't necessarily know the order that the keySplines and keyTimes attributes will be parsed. You're probably right that this is safer, though. I'll submit a new patch with this approach.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list