Fix up a crash relied on 'keySplines' of <animate*>

This patch fixes up a crash relied on 'keySplines' of <animate*>. All values of 'keySplines' must all be in the range 0 to 1.[1] So this patch checks this ranges of the values. [1] https://svgwg.org/specs/animations/#KeySplinesAttribute Bug: 1114169 Change-Id: I1878842a5b07702743e5d59ada4a8c11a1cfed36 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2344426 Commit-Queue: Hyunjune Kim <hyunjune.kim@samsung.com> Commit-Queue: Philip Rogers <pdr@chromium.org> Reviewed-by: Philip Rogers <pdr@chromium.org> Cr-Commit-Position: refs/heads/master@{#796239}

Fix up a crash relied on 'keySplines' of <animate*>
This patch fixes up a crash relied on 'keySplines' of <animate*>. All values of 'keySplines' must all be in the range 0 to 1.[1] So this patch checks this ranges of the values. [1] https://svgwg.org/specs/animations/#KeySplinesAttribute Bug: 1114169 Change-Id: I1878842a5b07702743e5d59ada4a8c11a1cfed36 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2344426 Commit-Queue: Hyunjune Kim <hyunjune.kim@samsung.com> Commit-Queue: Philip Rogers <pdr@chromium.org> Reviewed-by: Philip Rogers <pdr@chromium.org> Cr-Commit-Position: refs/heads/master@{#796239}
64e08110 · Hyunjune · Commit Bot · 403ee48d · 64e08110 · 64e08110
Commit 64e08110 authored Aug 08, 2020 by Hyunjune Committed by Commit Bot Aug 08, 2020
3 changed files
--- a/third_party/blink/renderer/core/svg/svg_animation_element.cc
+++ b/third_party/blink/renderer/core/svg/svg_animation_element.cc
@@ -136,8 +136,9 @@ static bool ParseKeySplinesInternal(const String& string,
      ptr++;
    SkipOptionalSVGSpaces(ptr, end);
-    // Require that the x values are within the [0, 1] range.
+    // The values of cpx1 cpy1 cpx2 cpy2 must all be in the range 0 to 1.
-    if (!IsInZeroToOneRange(cp1x) || !IsInZeroToOneRange(cp2x))
+    if (!IsInZeroToOneRange(cp1x) || !IsInZeroToOneRange(cp1y) ||
+        !IsInZeroToOneRange(cp2x) || !IsInZeroToOneRange(cp2y))
      return false;
    result.push_back(gfx::CubicBezier(cp1x, cp1y, cp2x, cp2y));

--- a/third_party/blink/web_tests/external/wpt/svg/animations/keysplines-x-limits.html
+++ b/third_party/blink/web_tests/external/wpt/svg/animations/keysplines-x-limits.html
@@ -22,6 +22,26 @@
    <animate attributeName="x" values="0; 250" dur="5s"
             keyTimes="0; 1" keySplines="0 0 2 1" calcMode="spline"/>
  </rect>
+  <rect x="10" width="10" height="10" y="50" fill="blue">
+     <animateMotion values="0,50; 250,50" dur="5s" keyPoints="0; 1"
+                    keyTimes="0; 1" keySplines="-10 0 1 1"
+                    calcMode="spline"/>
+  </rect>
+  <rect x="10" width="10" height="10" y="60" fill="blue">
+     <animateMotion values="0,60; 250,60" dur="5s" keyPoints="0; 1"
+                    keyTimes="0; 1" keySplines="10 0 1 1"
+                    calcMode="spline"/>
+  </rect>
+  <rect x="10" width="10" height="10" y="70" fill="blue">
+     <animateMotion values="0,70; 250,70" dur="5s" keyPoints="0; 1"
+                    keyTimes="0; 1" keySplines="0 0 -10 1"
+                    calcMode="spline"/>
+  </rect>
+  <rect x="10" width="10" height="10" y="80" fill="blue">
+     <animateMotion values="0,80; 250,80" dur="5s" keyPoints="0; 1"
+                    keyTimes="0; 1" keySplines="0 0 10 1"
+                    calcMode="spline"/>
+  </rect>
 </svg>
 <script>
  async_test(t => {
@@ -36,6 +56,10 @@
        assert_equals(rects[2].getBBox().x, 10, 'first control point x greater than one');
        assert_equals(rects[3].getBBox().x, 10, 'second control point x less than zero');
        assert_equals(rects[4].getBBox().x, 10, 'second control point x greater than one');
+        assert_equals(rects[5].getBBox().x, 10, 'first control point x less than zero');
+        assert_equals(rects[6].getBBox().x, 10, 'first control point x greater than one');
+        assert_equals(rects[7].getBBox().x, 10, 'second control point x less than zero');
+        assert_equals(rects[8].getBBox().x, 10, 'second control point x greater than one');
      }));
    });
  });

--- a/third_party/blink/web_tests/external/wpt/svg/animations/keysplines-y-limits.html
+++ b/third_party/blink/web_tests/external/wpt/svg/animations/keysplines-y-limits.html
+<!DOCTYPE html>
+<title>'keySplines' with y-values outside of the 0 to 1 range</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<svg>
+  <rect x="10" width="10" height="10" fill="blue">
+    <animate attributeName="x" values="0; 250" dur="5s"/>
+  </rect>
+  <rect x="10" width="10" height="10" y="20" fill="blue">
+    <animate attributeName="x" values="0; 250" dur="5s"
+             keyTimes="0; 1" keySplines="0 -1 1 1" calcMode="spline"/>
+  </rect>
+  <rect x="10" width="10" height="10" y="30" fill="blue">
+    <animate attributeName="x" values="0; 250" dur="5s"
+             keyTimes="0; 1" keySplines="0 2 1 1" calcMode="spline"/>
+  </rect>
+  <rect x="10" width="10" height="10" y="10" fill="blue">
+    <animate attributeName="x" values="0; 250" dur="5s"
+             keyTimes="0; 1" keySplines="0 0 1 -1" calcMode="spline"/>
+  </rect>
+  <rect x="10" width="10" height="10" y="40" fill="blue">
+    <animate attributeName="x" values="0; 250" dur="5s"
+             keyTimes="0; 1" keySplines="0 0 1 2" calcMode="spline"/>
+  </rect>
+  <rect x="10" width="10" height="10" y="50" fill="blue">
+     <animateMotion values="0,50; 250,50" dur="5s" keyPoints="0; 1"
+                    keyTimes="0; 1" keySplines="0 -10 1 1"
+                    calcMode="spline"/>
+  </rect>
+  <rect x="10" width="10" height="10" y="60" fill="blue">
+     <animateMotion values="0,60; 250,60" dur="5s" keyPoints="0; 1"
+                    keyTimes="0; 1" keySplines="0 10 1 1"
+                    calcMode="spline"/>
+  </rect>
+  <rect x="10" width="10" height="10" y="70" fill="blue">
+     <animateMotion values="0,70; 250,70" dur="5s" keyPoints="0; 1"
+                    keyTimes="0; 1" keySplines="0 0 1 -10"
+                    calcMode="spline"/>
+  </rect>
+  <rect x="10" width="10" height="10" y="80" fill="blue">
+     <animateMotion values="0,80; 250,80" dur="5s" keyPoints="0; 1"
+                    keyTimes="0; 1" keySplines="0 0 1 10"
+                    calcMode="spline"/>
+  </rect>
+</svg>
+<script>
+  async_test(t => {
+    let svg = document.querySelector('svg');
+    svg.pauseAnimations();
+    svg.setCurrentTime(2.5);
+    window.onload = t.step_func(() => {
+      requestAnimationFrame(t.step_func_done(() => {
+        let rects = document.getElementsByTagName('rect');
+        assert_equals(rects[0].getBBox().x, 125, 'animations applied');
+        assert_equals(rects[1].getBBox().x, 10, 'first control point y less than zero');
+        assert_equals(rects[2].getBBox().x, 10, 'first control point y greater than one');
+        assert_equals(rects[3].getBBox().x, 10, 'second control point y less than zero');
+        assert_equals(rects[4].getBBox().x, 10, 'second control point y greater than one');
+        assert_equals(rects[5].getBBox().x, 10, 'first control point y less than zero');
+        assert_equals(rects[6].getBBox().x, 10, 'first control point y greater than one');
+        assert_equals(rects[7].getBBox().x, 10, 'second control point y less than zero');
+        assert_equals(rects[8].getBBox().x, 10, 'second control point y greater than one');
+      }));
+    });
+  });
+</script>