[Webkit-unassigned] [Bug 52732] [CSS Gradients] Crash due to out-of-memory with repeating-linear-gradient and latter stop positioned before former

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=52732





--- Comment #5 from Adam Roben (aroben) <aroben at apple.com>  2011-01-19 12:44:09 PST ---
When we enter this bit of code:

        // Work forwards from the end, adding stops until we get one after 1.
        float lastOffset = stops[stops.size() - 1].offset;
        if (lastOffset < maxExtent) {
            float currOffset = lastOffset;
            size_t srcStopOrdinal = 0;

            while (true) {
                GradientStop newStop = stops[srcStopOrdinal];
                newStop.offset = currOffset;
                stops.append(newStop);
                if (currOffset > maxExtent)
                    break;
                if (srcStopOrdinal < originalNumStops - 1)
                    currOffset += stops[originalFirstStopIndex + srcStopOrdinal + 1].offset - stops[originalFirstStopIndex + srcStopOrdinal].offset;
                srcStopOrdinal = (srcStopOrdinal + 1) % originalNumStops;
            }
        }

stops has two items, both of which have offset 0. maxExtent is 1. So we basically keep doing 0 += 0, and then if (0 > 1) break;

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.