Closed Bug 332378 Opened 18 years ago Closed 18 years ago

Bad SVG crashes browser

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 318379

People

(Reporter: pieksu, Unassigned)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

Testcase from reporter
1.50 KB, image/svg+xml
Details
Details text created after browser crashing. Used the test case file in bug report.
104.17 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

The file below is from the SVG tutorial at: http://www.svgbasics.com/markers.html

I have made some illogical changes to it. I am learning SVG, so I just try random things. It is probably not even legal SVG, so it should not display, but it actually crashes the browser. This happens every time on my setup.

File begins with the first svg tag below. Please use diff or similar to see my changes. I could not find a smaller file that also crashes yet.

<svg xmlns="http://www.w3.org/2000/svg"
     xmlns:xlink="http://www.w3.org/1999/xlink"
     version="1.1">
<g viewBox = "0 0 400 200" version = "1.1" transform="scale(.2)">
    <defs>
        <marker id = "StartMarker" viewBox = "0 0 12 12" refX = "12" refY = "6" markerWidth = "3" markerHeight = "3" stroke = "green" stroke-width = "2" fill = "none" orient = "auto">
            <circle cx = "6" cy = "6" r = "5"/>
        </marker>
        <marker id = "MidMarker" viewBox = "0 0 10 10" refX = "5" refY = "5" markerUnits = "strokeWidth" markerWidth = "3" markerHeight = "3" stroke = "lightblue" stroke-width = "2" fill = "none" orient = "auto">
            <path d = "M 0 0 L 10 10 M 0 10 L 10 0"/>
        </marker>
        <marker id = "EndMarker" viewBox = "0 0 10 10" refX = "5" refY = "5" markerUnits = "strokeWidth" markerWidth = "3" markerHeight = "3" stroke = "red" stroke-width = "2" fill = "none">
            <rect x = "0" y = "0" width = "10" height = "10"/>
        </marker>
    </defs>
    <path d = "M 200 250 L 700 100 L 900 350 L 1200 400 S 1300 200 S 1700 680 L 2200 680 L 2600 400" fill = "none" stroke = "black" stroke-width = "50" marker-start = "url(#StartMarker)" marker-mid = "url(#MidMarker)" marker-end = "url(#EndMarker)"/>
    <path d = "M 1000 750 S 2000 750 2500 1250 S 1200 1000 1300 1400 L 1700 1480 1900 1200" fill = "none" stroke = "tomato" stroke-width = "50" marker-start = "url(#StartMarker)" marker-mid = "url(#MidMarker)" marker-end = "url(#EndMarker)"/>

</g>
</svg>

Reproducible: Always

Steps to Reproduce:
1. Save the indicated part as an svg file.
2. Open it for viewing.
3. Have browser crash.

Actual Results:  
Browser crashes.

Expected Results:  
Probably should not display anything. I believe the file is malformed, but I am just learning SVG.
Doesn't crash with my 2006-03-29 trunk build, so it might already be fixed somehow.
Reporter, could you perhaps post a Talkback ID?
Assignee: nobody → general
Component: General → SVG
Keywords: testcase
Product: Firefox → Core
QA Contact: general → ian
Version: unspecified → 1.8 Branch
I confirm the crash in a 1.5.0.1 release, and I also crash in a recent 1.5.0.2 debug release dereferencing a null aMark->x here:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/svg/base/src/nsSVGMarkerFrame.cpp&rev=MOZILLA_1_8_0_BRANCH&mark=403#390

Not exploitable, I'm going to clear the security flag.

It's quite possible recent trunk stability fixes have cured this (SVG crashes have been a focus). If it's easy to figure out which patch it might be nice to get it into the branch if it's safe enough.
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
I clicked on the "test case" in the bug report, and it crashed my browser as previously. The text file was created by the crash handler/quality feedback thingy, and I have nto modified it in any way.
No, sorry, that's not useful.
A Talkback ID would be useful, see: http://kb.mozillazine.org/Talkback
for an explanation of what a Talkback ID is and how to get it.
Note that currently Talkback seems to be down, so there is no way to send one :(

Rias, would you otherwise be willing to find the date when this testcase got fixed?
That way it's possible to see which patch fixed it, and they can see whether they want that patch in the 1.8.0.3 release.
Ok, thanks, Ria, so this is fixed by bug 318379.
Marking this bug a duplicate of that one.
Apparently that bug needs an optimised patch for branch to get approval.

*** This bug has been marked as a duplicate of 318379 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: