Closed
Bug 614522
Opened 14 years ago
Closed 14 years ago
SVGPathData::GetMarkerPositioningData reads uninitialised stack allocated memory
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | - |
People
(Reporter: jseward, Assigned: jwatt)
References
Details
(Keywords: regression, valgrind)
Attachments
(1 file)
6.79 KB,
patch
|
dholbert
:
review+
|
Details | Diff | Splinter Review |
It looks like SVGPathData::GetMarkerPositioningData can get to here 502: segStartAngle = segEndAngle = AngleOfVector(segEnd - segStart); without first assigning anything to segStart. This leads to the following complaints, when running layout/svg/crashtests/371563-1.xhtml Observed on x86_64-linux and x86-win32. Should be observable on all platforms. Conditional jump or move depends on uninitialised value(s) at 0x6323F94: AngleOfVector(gfxPoint) (gfxPoint.h:127) by 0x6327E94: mozilla::SVGPathData::GetMarkerPositioningData (SVGPathData.cpp:491) by 0x62FAB43: nsSVGPathElement::GetMarkPoints (nsSVGPathElement.cpp:418) by 0x62894B5: nsSVGPathGeometryFrame::GetCoveredRegion (nsSVGPathGeometryFrame.cpp:217) by 0x6286401: nsSVGOuterSVGFrame::UpdateAndInvalidateCoveredRegion (nsSVGOuterSVGFrame.cpp:659) by 0x6292C3C: nsSVGUtils::UpdateGraphic (nsSVGUtils.cpp:692) by 0x628833E: nsSVGPathGeometryFrame::NotifyRedrawUnsuspended (nsSVGPathGeometryFrame.cpp:338) by 0x62855B8: nsSVGOuterSVGFrame::UnsuspendRedraw (nsSVGOuterSVGFrame.cpp:715) by 0x62858E3: nsSVGOuterSVGFrame::DidReflow (nsSVGOuterSVGFrame.cpp:403) by 0x59D3E07: nsLineLayout::ReflowFrame (nsLineLayout.cpp:971) by 0x5968FBB: nsBlockFrame::ReflowInlineFrame (nsBlockFrame.cpp:3794) by 0x5969AAA: nsBlockFrame::DoReflowInlineFrames (nsBlockFrame.cpp:3590) Uninitialised value was created by a stack allocation at 0x6326AC6: mozilla::SVGPathData::GetMarkerPositioningData (SVGPathData.cpp:453) followed by a whole bunch of clones inside __ieee754_atan2, since AngleOfVector passes the uninitialised values onwards there.
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → jwatt
Reporter | ||
Comment 1•14 years ago
|
||
ftr (so it doesn't get forgotten): [01:29] <jwatt> sewardj: note that pathStartPoint is dead too
Updated•14 years ago
|
blocking2.0: final+ → -
Keywords: regression
Comment 3•14 years ago
|
||
Comment on attachment 497565 [details] [diff] [review] patch Looks good! Just some cleanup-ish nits -- feel free to ignore them if you see fit. >+ // info on current [sub]path (reset every M command): >+ gfxPoint pathStart(0, 0); s/0/0.0/ (gfxPoint constructor takes a gfxFloat aka double) >+ gfxPoint prevSegEnd(0, 0); Here too. >+ float prevSegEndAngle = 0; 0.0f >+ // info on current segment: >+ PRUint16 segType = >+ SVGPathSegUtils::DecodeType(mData[i++]); // advances i to args >+ gfxPoint &segStart = prevSegEnd, segEnd; Nit: This would be easier to read if setEnd got its own separate declaration. >- cp1 = SVGPathSegUtils::IsCubicType(prevSegType) ? segStart * 2 - prevCP : segStart; >+ { >+ gfxPoint cp1 = SVGPathSegUtils::IsCubicType(prevSegType) ? segStart * 2 - prevCP : segStart; More than 80 chars -- add some line-wrapping sauce. (maybe newline after "=" or "?") > case nsIDOMSVGPathSeg::PATHSEG_CURVETO_QUADRATIC_SMOOTH_REL: >- cp1 = SVGPathSegUtils::IsQuadraticType(prevSegType) ? segStart * 2 - prevCP : segStart; >+ { >+ gfxPoint cp1 = SVGPathSegUtils::IsQuadraticType(prevSegType) ? segStart * 2 - prevCP : segStart; Here too.
Attachment #497565 -
Flags: review?(dholbert) → review+
Attachment #497565 -
Flags: approval2.0?
Attachment #497565 -
Flags: approval2.0?
Assignee | ||
Comment 4•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/998a8a41310b
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•