Closed Bug 164049 Opened 23 years ago Closed 21 years ago

SVGTransform.prototype.setMatrix crashes on null or undefined argument

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jasonkarldavis, Assigned: jwatt)

Details

(Keywords: crash)

Attachments

(2 files, 1 obsolete file)

improved testcase
889 bytes, image/svg+xml
Details
crash patch
886 bytes, patch
alex
: review+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1b) Gecko/20020814 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1b) Gecko/20020814 Calling setMatrix(null) and setMatrix(undefined) crashes the browser. Calling setMatrix({}) and setMatrix([]) will disable rendering of any elements the transform applies to. I believe it is because it interprets them as matrix(0,0,0,0,0,0). Other literals, such as false, 7, and 'hello' all throw errors. http://www.w3.org/TR/SVG11/coords.html#InterfaceSVGTransform does not claim setMatrix throws an exception, but the IDL indicates it should only accept an object of type SVGMatrix. Therefore, the literals should not throw an error, and instead should do absolutely nothing. Same with the empty object and array literals (which presently kill rendering). Then again, throwing an error would make sense - would someone else with more knowledge on the subject please comment? Reproducible: Always Steps to Reproduce: 1. View the URL Actual Results: Mozilla crashed. Expected Results: Do absolutely nothing as per the specs, or throw an error.
Hi Using:Mozilla 1.1b Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1b) Gecko/20020814 I confirm this behavior.
Well I'll try again, in that I believe that I've got confirm rights. Perhaps the new Bugzilla has a bug ;-) Using: Mozilla 1.1b Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1b) Gecko/20020814 I confirm this behavior.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
Steve, it would appear that you do indeed have confirm rights. Do you get at Talkback incidentID for your efforts? Please list that here. Thanks.
Hello No, a Talkback incidentID is not possible in that these builds are 'experimental' zips with no Talkback features.
The URL is gone. Jason, do you still see this problem? If so, can you repost your test case?
Attached image testcase - click button to crash (obsolete) —
Attached image improved testcase
Lets you set and test different arguments.
Attachment #150371 - Attachment is obsolete: true
URL: http://rdhtml.resource-locator.com/sv...
OS: Windows XP → All
Hardware: PC → All
Apparently the JavaScript values null and undefined get passed to the C++ function as nsnull, so a simple NS_ENSURE_ARG(matrix) will fix the crash, but I will try and implement sensible handling of JS objects that don't implement QueryInterface before creating a patch.
Assignee: alex → jonathan.watt
Status: NEW → ASSIGNED
Attached patch crash patchSplinter Review
On second thoughts here's the patch to solve the crash. The problems encountered when JS objects are passed to setMatrix extend far further than just this function. Sanity checking of parameters would be better addressed as a separate issue. Roughly speaking the plan will be to ensure that only objects that are instances of *our* implementations of SVG interfaces may be passed to such functions (since XPConnect makes it impossible for the C++ code to ensure JS objects fully implement such interfaces and the interfaces they inherit).
Attachment #150965 - Flags: review?(alex)
Attachment #150965 - Flags: review?(alex) → review+
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: