Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(251)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 261603002: Prevent use of stale list length for to-animations of transform lists (Closed)

Created:
6 years, 7 months ago by fs
Modified:
6 years, 7 months ago
Reviewers:
pdr.
CC:
blink-reviews, ed+blinkwatch_opera.com, shans, rjwright, alancutter (OOO until 2018), Mike Lawther (Google), rwlbuis, fs, kouhei+svg_chromium.org, dstockwell, Timothy Loh, krit, f(malita), gyuyoung.kim_webkit.org, darktears, Stephen Chennney, Steve Block, dino_apple.com, pdr., Eric Willigers
Visibility:
Public.

Description

Prevent use of stale list length for to-animations of transform lists When animating a transform list with a "To animation", the from value will be the currently animated value, and hence the clear() in SVGTransformList::calculateAnimatedValue will modify the fromList, and clobber the |fromListSize| local variable - leading to an out-of-bounds access. To avoid this, acquire the reference to the effectiveFrom value earlier - before the clear(). Also fold the single use of |fromListSize|. BUG=368481 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=173192

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+18 lines, -3 lines) Patch
A LayoutTests/svg/animations/animateTransform-list-crash-2.html View 1 chunk +15 lines, -0 lines 0 comments Download
A + LayoutTests/svg/animations/animateTransform-list-crash-2-expected.txt View 0 chunks +-1 lines, --1 lines 0 comments Download
M Source/core/svg/SVGTransformList.cpp View 1 chunk +4 lines, -4 lines 0 comments Download

Messages

Total messages: 9 (0 generated)
fs
6 years, 7 months ago (2014-04-30 11:41:24 UTC) #1
pdr.
LGTM It's a shame we can't share more logic between our animated list types.
6 years, 7 months ago (2014-05-02 02:49:17 UTC) #2
pdr.
The CQ bit was checked by pdr@chromium.org
6 years, 7 months ago (2014-05-02 02:49:31 UTC) #3
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/fs@opera.com/261603002/1
6 years, 7 months ago (2014-05-02 02:49:42 UTC) #4
commit-bot: I haz the power
The CQ bit was unchecked by commit-bot@chromium.org
6 years, 7 months ago (2014-05-02 03:00:17 UTC) #5
commit-bot: I haz the power
Try jobs failed on following builders: blink_presubmit on tryserver.blink
6 years, 7 months ago (2014-05-02 03:00:17 UTC) #6
fs
The CQ bit was checked by fs@opera.com
6 years, 7 months ago (2014-05-02 08:26:42 UTC) #7
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/fs@opera.com/261603002/1
6 years, 7 months ago (2014-05-02 08:26:53 UTC) #8
commit-bot: I haz the power
6 years, 7 months ago (2014-05-02 09:31:06 UTC) #9
Message was sent while issue was closed. 
Change committed as 173192

Powered by Google App Engine
This is Rietveld 408576698