Closed Bug 336047 Opened 14 years ago Closed 9 years ago

Off by one error in nsSVGPolygonFrame::GetMarkPoints, coverity 345

Categories

(Core :: SVG, defect)

x86
Linux
defect
Not set

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jonsmirl, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: coverity)

Attachments

(1 file)

I'm not sure how to fix this. If you get into GetMarkPoints() with one point you will use an uninitialized variable, startAngle. It is not clear to me if the fix is to ensure that count is 2 or more, or fix things so that they work for the single point case.

This may be the correct fix, but someone with more specific SVG knowledge needs to check this.

Index: layout/svg/base/src/nsSVGPolygonFrame.cpp
===================================================================
RCS file: /cvsroot/mozilla/layout/svg/base/src/nsSVGPolygonFrame.cpp,v
retrieving revision 1.14
diff -u -r1.14 nsSVGPolygonFrame.cpp
--- layout/svg/base/src/nsSVGPolygonFrame.cpp	6 Apr 2006 13:02:53 -0000	1.14
+++ layout/svg/base/src/nsSVGPolygonFrame.cpp	30 Apr 2006 21:26:10 -0000
@@ -207,9 +207,9 @@
     point->GetY(&y);
 
     float angle = atan2(y-py, x-px);
-    if (i == 1)
+    if (i < 1)
       startAngle = angle;
-    else if (i > 1)
+    else
       ((nsSVGMark *)aMarks->ElementAt(aMarks->Count()-1))->angle = 
         nsSVGUtils::AngleBisect(prevAngle, angle);
Coverity 342, 344, 344, 345 all complain about unitialized variables in this routine.

External assumptions need to be made about PATHSEG_CLOSEPATH coming after the other segments. While this may always be true the routine doesn't check for it and Coverity can't correctly identify the errors if any.
Tor, did you mean to set reviews?
tor, this file was removed a while ago. Can this bug just be resolved?
Assignee: general → nobody
QA Contact: ian → general
The code was moved to nsSVGPolyElement.cpp it has changed also so startAngle does not exist any more. Does coverity complain about anything in nsSVGPolyElement, f not this bug could be closed as worksforme.
This code is gone. Similar bugs in the replacement code are covered in bug 614522.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.