Closed Bug 1212954 Opened 4 years ago Closed 4 years ago

Loading feImage with negative or percentage size svg causes an ns_error assertion

Categories

(Core :: SVG, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla44

People

(Reporter: twointofive, Assigned: twointofive)

Details

Attachments

(2 files)

If feImage tries to load an SVG image with a negative or percentage width or height, then SVGSVGElement returns a negative number from GetIntrinsicWidth/Height, but the 

  if (imageIntSize.IsEmpty()) {

check in VectorImage::GetFrame at https://mxr.mozilla.org/mozilla-central/source/image/VectorImage.cpp?rev=6f47f75d3136#699 (which gets called from SVGFEImageElement::GetPrimitiveDescription in this case) only returns IsEmpty if width or height is 0.

So then we try to
  CreateOffscreenContentDrawTarget(aSize, SurfaceFormat::B8G8R8A8);
in VectorImage::GetFrameAtSize with negative size values and get

[Child 4469] WARNING: Surface width or height < 0!: file mozilla-central/gfx/thebes/gfxASurface.cpp, line 385
[Child 4469] WARNING: Surface width or height < 0!: file mozilla-central/gfx/thebes/gfxASurface.cpp, line 385
[Child 4469] ###!!! ASSERTION: Could not create a DrawTarget: 'Error', file mozilla-central/image/VectorImage.cpp, line 732

The attached testcase asserts, as do the testcases in bug 1097856 and bug 703890 (which I don't think crashes anymore - I'll add a comment there in a bit).

The simple fix seems to be to replace
  if (imageIntSize.IsEmpty()) {
with
  if (imageIntSize.width <= 0 || imageIntSize.height <= 0) {
in VectorImage::GetFrame.

I'll write it up and add the testcase here as a crashtest.
Assignee: nobody → twointofive
Or fix IsEmpty to return true if width or height <= 0 That's how it's defined in for a rect for instance https://mxr.mozilla.org/mozilla-central/source/gfx/2d/BaseRect.h#61
Attached patch Patch v1Splinter Review
Thanks Robert, I was hoping someone would suggest that.  Can you review this or suggest someone who can?
Attachment #8671631 - Flags: review?(longsonr)
Attachment #8671631 - Flags: review?(longsonr) → review?(roc)
This landed this morning
https://hg.mozilla.org/mozilla-central/rev/9c65a4a58b55
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.