Closed Bug 294137 Opened 20 years ago Closed 18 years ago

Mozilla accepts illegal syntax on transform attribute

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: holger, Assigned: wellsk)

References

Details

(Keywords: testcase)

Attachments

(2 files, 3 obsolete files)

file with illegal transform attribute
333 bytes, image/svg+xml
Details
address review comments
20.61 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050512 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050512 Firefox/1.0+

in a transform attribute when leaving out the last bracked, e.g:
transform="translate(100 100" or transform="translate(100 100) scale(0.5 0.5"
mozilla performs the transformation anyways, causing possible incompatibility
with excisting implementations.

Reproducible: Always

Steps to Reproduce:
1.add a correct transformation to an svg element
2.delete the last bracked
3.

Actual Results:  
everything still works fine

Expected Results:  
cause an error, or at least dont apply the transformation
Keywords: testcase

    
    

    
  
imo we should ship this if it's easy before shipping SVG in a release...
Severity: trivial → normal
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b4?
OS: Windows XP → All
Hardware: PC → All

    
    

    
  
We can fix this after we branch if necessary. The problem area is:

 
http://lxr.mozilla.org/seamonkey/source/content/svg/content/src/nsSVGTransformList.cpp#128

and if anyone wants to work on this now, the relevant part of the spec is:

  http://www.w3.org/TR/SVG/coords.html#TransformAttribute
Flags: blocking1.8b4?

    
    

    
  
i'm not sure, but in
http://lxr.mozilla.org/seamonkey/source/content/svg/content/src/nsSVGTransformList.cpp#128
shouldnt it be enough to add ")" to delimiters3

143   const char* delimiters3 = "\x20\x9\xD\xA,";
>>
143   const char* delimiters3 = "\x20\x9\xD\xA,)";

    
    

    
  


  
This patch is dependent on the patch added for 338142 -- dependent on the new superclass nsSVGDataParser.

This patch detects the case below as being invalid:
  transform="rotate(20"

Other cases that are detected and marked as invalid:
 transform="translate -10, -10)  scale 2)"
 transform="translate(-10, -10)  scale 2)"
 transform="translate 10 40"

    
    

    
  
The patch submitted for 294137 has a dependency on the patch submitted for 338142.  Can some one with the authorization make this known by updating the field "Bug 294137 depends on:" with bug number 338142???  

    
    

    
  
Requested dependency from comment 6 added.
Depends on: 338142

    
    

    
  


  
Updated patch to reflect changes made in bug 338142.

    
  

        Attachment #224866 -
        Flags: review?(tor)

    
    

    
  
Comment on attachment 224866 [details] [diff] [review]
Updated patch to reflect changes from bug 338142

Besides some overly clever array initialization, which is debatable, looks good.

        Attachment #224866 -
        Flags: review?(tor) → review+

    
  
Assignee: general → wellsk

    
    

    
  
Comment on attachment 224866 [details] [diff] [review]
Updated patch to reflect changes from bug 338142

>+//----------------------------------------------------------------------
>+nsresult nsSVGTransformListParser::GetTransformToken(nsIAtom** aKeyatom, PRBool aAdvancePos)
>+{
>+
>+  if (!(mTokenType == OTHER) || (*mTokenPos == '\0') ) 
>+     return NS_ERROR_FAILURE;
>+
>+  char* keyword;
>+  char buf[10];
>+  char* rest = strncpy(buf, mTokenPos, 10);
>+  const char* delimiters1 = "\x20\x9\xD\xA,(";
>+  keyword = nsCRT::strtok(rest, delimiters1, &rest);
>+

rest/buf may not be nul terminated if mTokenPos has 10 characters or more in. I think strtok expects a nul terminated string. Is this a problem?

I'm not sure why rest is used as it is the same as buf.

    
    

    
  
(In reply to comment #10)
> rest/buf may not be nul terminated if mTokenPos has 10 characters or more in. I
> think strtok expects a nul terminated string. Is this a problem?

Hmm, yes.  Since the longest token we expect is 9 characters, we should have a buffer of 11 characters and force the last character to \0.  That way we can prevent accidently passing something "translateBla".

> I'm not sure why rest is used as it is the same as buf.

In addition to removing rest as Robert mentiones, use NS_ARRAY_LENGTH to generate the size passed to strncpy.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Suggested changes made (obsolete)
        — Splinter Review
      

    


  

        Attachment #223774 -
        Attachment is obsolete: true

        Attachment #224866 -
        Attachment is obsolete: true

        Attachment #235899 -
        Flags: review?(tor)

    
  

        Attachment #235899 -
        Flags: superreview?(roc)

        Attachment #235899 -
        Flags: review?(tor)

        Attachment #235899 -
        Flags: review+

    
    

    
  
+{
+
+  if (!(mTokenType == OTHER) || (*mTokenPos == '\0') ) 

I don't much like this style of a blank line after the function open brace. Also, lose the unnecessary parens and convert ! == to !=

+    if ((mTokenPos != 0) && (nsCRT::strlen(mTokenPos) > 0 )) {

here too, and elsewhere

> aKeyatom

aKeyAtom

+  while (IsTokenWspStarter()) {
+    ENSURE_MATCHED(MatchWsp());
+  }

+  while (IsTokenCommaWspStarter()) {
+    ENSURE_MATCHED(MatchCommaWsp());
+  }

Create helpers for these, as they get repeated a lot?

I think you should also shrink the code by having a helper that matches between N and M comma-separated floats, putting them into an array.

Is it really intended to treat "translate(0,)" as translate(0,0)? Is that in fact what this does, or is the second float actually uninitialized?

+  nsCOMPtr<nsIDOMSVGTransform> transform;
+  NS_NewSVGTransform(getter_AddRefs(transform));
+
+  transform->SetSkewX(angle);
+
+  mTransform->AppendObject(transform);

You could also have a helper that creates a new transform object and adds it to mTransform, returning a weak pointer to the new transform object. Don't forget check for OOM, too.

    
    

    
  


  

        Attachment #235899 -
        Attachment is obsolete: true

        Attachment #235899 -
        Flags: superreview?(roc)

    
    

    
  
Comment on attachment 238311 [details] [diff] [review]
address review comments

nice

        Attachment #238311 -
        Flags: superreview+

        Attachment #238311 -
        Flags: review+

    
    

    
  
Checked in.

Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: