[Webkit-unassigned] [Bug 63290] Stack overflow with enormous SVG filter
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 19 17:00:51 PDT 2014
https://bugs.webkit.org/show_bug.cgi?id=63290
Said Abou-Hallawa <sabouhallawa at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sabouhallawa at apple.com
--- Comment #6 from Said Abou-Hallawa <sabouhallawa at apple.com> 2014-09-19 17:00:51 PST ---
The same cash happens also in FireFox.
The SVG looks like this:
<svg xmlns="http://www.w3.org/2000/svg">
<defs>
<filter id="asdf">
<feGaussianBlur stdDeviation="1.0" />
<feGaussianBlur stdDeviation="1.0" />
... many the same feGaussianBlur FilterEffect
<feGaussianBlur stdDeviation="1.0" />
</filter>
</defs>
<rect x="10px" y="10px" width="20px" height="20px" filter="url(#asdf)"/>
</svg>
Since non of the feGaussianBlur defines its input FilterEffect, the previous feGaussianBlur is considered to be the input expect for the first one, the SourceGraphic is considered to be the input. So basically, a very deep tree is built for this bogus svg which acts exactly like a linked list in this case.
I tried fixing this bug by cutting off the recursion in the function RenderSVGResourceFilterPrimitive::determineFilterPrimitiveSubregion() which fixes the crash. But I got another crash in FilterEffect::apply() because it has the same kind of recursion and it might need similar cut off.
I think the cleanest way to fix this bug is cut off creating the FilterEffect tree from the the beginning when the svg is loaded instead of creating a very deep tree and then try to cut off traversing it in many places.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list