Closed
Bug 332378
Opened 18 years ago
Closed 18 years ago
Bad SVG crashes browser
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 318379
People
(Reporter: pieksu, Unassigned)
Details
(Keywords: crash, testcase)
Attachments
(2 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 The file below is from the SVG tutorial at: http://www.svgbasics.com/markers.html I have made some illogical changes to it. I am learning SVG, so I just try random things. It is probably not even legal SVG, so it should not display, but it actually crashes the browser. This happens every time on my setup. File begins with the first svg tag below. Please use diff or similar to see my changes. I could not find a smaller file that also crashes yet. <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"> <g viewBox = "0 0 400 200" version = "1.1" transform="scale(.2)"> <defs> <marker id = "StartMarker" viewBox = "0 0 12 12" refX = "12" refY = "6" markerWidth = "3" markerHeight = "3" stroke = "green" stroke-width = "2" fill = "none" orient = "auto"> <circle cx = "6" cy = "6" r = "5"/> </marker> <marker id = "MidMarker" viewBox = "0 0 10 10" refX = "5" refY = "5" markerUnits = "strokeWidth" markerWidth = "3" markerHeight = "3" stroke = "lightblue" stroke-width = "2" fill = "none" orient = "auto"> <path d = "M 0 0 L 10 10 M 0 10 L 10 0"/> </marker> <marker id = "EndMarker" viewBox = "0 0 10 10" refX = "5" refY = "5" markerUnits = "strokeWidth" markerWidth = "3" markerHeight = "3" stroke = "red" stroke-width = "2" fill = "none"> <rect x = "0" y = "0" width = "10" height = "10"/> </marker> </defs> <path d = "M 200 250 L 700 100 L 900 350 L 1200 400 S 1300 200 S 1700 680 L 2200 680 L 2600 400" fill = "none" stroke = "black" stroke-width = "50" marker-start = "url(#StartMarker)" marker-mid = "url(#MidMarker)" marker-end = "url(#EndMarker)"/> <path d = "M 1000 750 S 2000 750 2500 1250 S 1200 1000 1300 1400 L 1700 1480 1900 1200" fill = "none" stroke = "tomato" stroke-width = "50" marker-start = "url(#StartMarker)" marker-mid = "url(#MidMarker)" marker-end = "url(#EndMarker)"/> </g> </svg> Reproducible: Always Steps to Reproduce: 1. Save the indicated part as an svg file. 2. Open it for viewing. 3. Have browser crash. Actual Results: Browser crashes. Expected Results: Probably should not display anything. I believe the file is malformed, but I am just learning SVG.
Comment 1•18 years ago
|
||
Comment 2•18 years ago
|
||
Doesn't crash with my 2006-03-29 trunk build, so it might already be fixed somehow. Reporter, could you perhaps post a Talkback ID?
Assignee: nobody → general
Component: General → SVG
Keywords: testcase
Product: Firefox → Core
QA Contact: general → ian
Version: unspecified → 1.8 Branch
Comment 3•18 years ago
|
||
I confirm the crash in a 1.5.0.1 release, and I also crash in a recent 1.5.0.2 debug release dereferencing a null aMark->x here: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/svg/base/src/nsSVGMarkerFrame.cpp&rev=MOZILLA_1_8_0_BRANCH&mark=403#390 Not exploitable, I'm going to clear the security flag. It's quite possible recent trunk stability fixes have cured this (SVG crashes have been a focus). If it's easy to figure out which patch it might be nice to get it into the branch if it's safe enough.
Reporter | ||
Comment 4•18 years ago
|
||
I clicked on the "test case" in the bug report, and it crashed my browser as previously. The text file was created by the crash handler/quality feedback thingy, and I have nto modified it in any way.
Comment 5•18 years ago
|
||
No, sorry, that's not useful. A Talkback ID would be useful, see: http://kb.mozillazine.org/Talkback for an explanation of what a Talkback ID is and how to get it. Note that currently Talkback seems to be down, so there is no way to send one :( Rias, would you otherwise be willing to find the date when this testcase got fixed? That way it's possible to see which patch fixed it, and they can see whether they want that patch in the 1.8.0.3 release.
Comment 6•18 years ago
|
||
Problem with the talkback server at the moment. 1.9a1_2005120214 - 1.9a1_2005120300 http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2005-12-02+13%3A00&maxdate=2005-12-03+00%3A00
Comment 7•18 years ago
|
||
Ok, thanks, Ria, so this is fixed by bug 318379. Marking this bug a duplicate of that one. Apparently that bug needs an optimised patch for branch to get approval. *** This bug has been marked as a duplicate of 318379 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•