[Webkit-unassigned] [Bug 106228] New: [Qt] SVG tests with huge paths and with small dashes are crashing

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jan 7 09:37:27 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=106228

           Summary: [Qt] SVG tests with huge paths and with small dashes
                    are crashing
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: reni at webkit.org
                CC: zimmermann at kde.org


During SVG fuzzing I got a crash with the attached test case.
The test contains one huge path with small dashes. The problem is that too many small dash fragments are generated and there is memory is allocated for each of them. This way we run out of memory.
The same problem was detected in skia too. They limited the maximum number of dashes per paths to 1 million. How about a similar solution in Qt too?

Backtrace:

#0  memcpy () at ../sysdeps/x86_64/memcpy.S:437
#1  0x00007fffe95ce7ef in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#2  0x00007fffe9612c12 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#3  0x00007fffe960b205 in QPainterPath::lineTo(QPointF const&) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#4  0x00007fffe960b3d7 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#5  0x00007fffe963fce0 in QStroker::joinPoints(double, double, QLineF const&, QStroker::LineJoinMode) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#6  0x00007fffe9644847 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#7  0x00007fffe964294b in QStroker::processCurrentSubpath() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#8  0x00007fffe964071f in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#9  0x00007fffe964114c in QDashStroker::processCurrentSubpath() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#10 0x00007fffe9642acb in QStrokerOps::strokePath(QPainterPath const&, void*, QTransform const&) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#11 0x00007fffe960d08b in QPainterPathStroker::createStroke(QPainterPath const&) const () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#12 0x00007ffff48335da in WebCore::Path::strokeBoundingRect (this=0x9936c0, applier=0x7fffffffc060)
    at /home/reni/WebKit-git/Source/WebCore/platform/graphics/qt/PathQt.cpp:177
#13 0x00007ffff4994316 in WebCore::RenderSVGShape::calculateStrokeBoundingBox (this=0x99b3d8)
    at /home/reni/WebKit-git/Source/WebCore/rendering/svg/RenderSVGShape.cpp:398
#14 0x00007ffff4992a3b in WebCore::RenderSVGShape::updateShapeFromElement (this=0x99b3d8)
    at /home/reni/WebKit-git/Source/WebCore/rendering/svg/RenderSVGShape.cpp:77
....

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list