nsSVGForeignObjectFrame::PaintSVG needlessly checks aDirtyRect

RESOLVED INVALID

Status

()

Core
SVG
--
minor
RESOLVED INVALID
7 years ago
6 years ago

People

(Reporter: timeless, Unassigned)

Tracking

({coverity})

Trunk
coverity
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 obsolete attachments)

(Reporter)

Description

7 years ago
198 nsSVGForeignObjectFrame::PaintSVG(nsSVGRenderState *aContext,
199                                   const nsIntRect *aDirtyRect)

218   /* Check if we need to draw anything. */

null check:
219   if (aDirtyRect) {
220     PRInt32 appUnitsPerDevPx = PresContext()->AppUnitsPerDevPixel();
221     if (!mRect.ToOutsidePixels(appUnitsPerDevPx).Intersects(*aDirtyRect))
222       return NS_OK;
223   }

no null check:
247   gfxRect transDirtyRect = gfxRect(aDirtyRect->x, aDirtyRect->y,
248                                    aDirtyRect->width, aDirtyRect->height);

Updated

6 years ago
Severity: critical → minor
Keywords: crash

Comment 1

6 years ago
Created attachment 528000 [details] [diff] [review]
patch

There's no caller of the method that passes non-null as aDirtyRect.
Attachment #528000 - Flags: review?(dholbert)
Comment on attachment 528000 [details] [diff] [review]
patch

> NS_IMETHODIMP
> nsSVGForeignObjectFrame::PaintSVG(nsSVGRenderState *aContext,
>                                   const nsIntRect *aDirtyRect)
> {
>+  NS_PRECONDITION(aDirtyRect, "We expect aDirtyRect to be non-null");
>+

I think I'd prefer NS_ABORT_IF_FALSE, but I won't hold you to that. :)
Attachment #528000 - Flags: review?(dholbert) → review+

Comment 3

6 years ago
Created attachment 528018 [details] [diff] [review]
hg changeset patch
Assignee: nobody → longsonr
Attachment #528000 - Attachment is obsolete: true

Updated

6 years ago
Keywords: checkin-needed
Summary: crash [@ nsSVGForeignObjectFrame::PaintSVG] if !aDirtyRect → nsSVGForeignObjectFrame::PaintSVG needlessly checks !aDirtyRect
Summary: nsSVGForeignObjectFrame::PaintSVG needlessly checks !aDirtyRect → nsSVGForeignObjectFrame::PaintSVG needlessly checks aDirtyRect
http://hg.mozilla.org/mozilla-central/rev/f23ef87dcfb3
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla6

Updated

6 years ago
Depends on: 667324

Comment 5

6 years ago
Backed out https://hg.mozilla.org/integration/mozilla-inbound/rev/24365794891f to fix bug 667324
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Updated

6 years ago
Attachment #528018 - Attachment is obsolete: true

Updated

6 years ago
Assignee: longsonr → nobody
Target Milestone: mozilla6 → ---

Comment 6

6 years ago
So if you have a foreignObject in a pattern then you can get a call with aDirtyRect null. That seems to be the only case. I don't think foreignObject works at all in a pattern though as IsDisabled() will always be true since the foreignObject's mRect won't be initialised currently.
The null checks are needed, and in fact were extended in bug 716527.
Status: REOPENED → RESOLVED
Last Resolved: 6 years ago6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.