REGRESSION(277450@main): OOB array read with SVG animation where keyP…

…oints = 0. https://bugs.webkit.org/show_bug.cgi?id=272929 rdar://126636733 Reviewed by Said Abou-Hallawa. This change makes a couple additional, similar changes to the original changes to better track the SVG spec. (See the original bug for more information.) * LayoutTests/svg/animations/animate-zero-keyPoints-should-not-crash-expected.txt: Added. * LayoutTests/svg/animations/animate-zero-keyPoints-should-not-crash.html: Added. * Source/WebCore/svg/SVGAnimationElement.cpp: (WebCore::SVGAnimationElement::keyTimes const): (WebCore::SVGAnimationElement::startedActiveInterval): Canonical link: https://commits.webkit.org/278212@main
WebKit · May 1, 2024 · 53e67f6 · 53e67f6
1 parent 70e44fd
commit 53e67f6
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 2 deletions.
diff --git a/LayoutTests/svg/animations/animate-zero-keyPoints-should-not-crash-expected.txt b/LayoutTests/svg/animations/animate-zero-keyPoints-should-not-crash-expected.txt
@@ -0,0 +1,2 @@
+Passes if it does not crash.
+
diff --git a/LayoutTests/svg/animations/animate-zero-keyPoints-should-not-crash.html b/LayoutTests/svg/animations/animate-zero-keyPoints-should-not-crash.html
@@ -0,0 +1,12 @@
+<body>
+    <svg zoomAndPan="magnify">
+        <text>
+            Passes if it does not crash.
+            <animateMotion path="m 1,0" keyPoints="0" keyTimes="0" restart="always"/>
+        </text>
+    </svg>
+    <script>
+        if (window.testRunner)
+            testRunner.dumpAsText();
+    </script>
+</body>
diff --git a/Source/WebCore/svg/SVGAnimationElement.cpp b/Source/WebCore/svg/SVGAnimationElement.cpp
@@ -393,7 +393,7 @@ static inline double solveEpsilon(double duration) { return 1 / (200 * duration)
 
 const Vector<float>& SVGAnimationElement::keyTimes() const
 {
-    return calcMode() == CalcMode::Paced ? m_keyTimesForPaced : m_keyTimesFromAttribute;
+    return (calcMode() == CalcMode::Paced && animationMode() != AnimationMode::Path) ? m_keyTimesForPaced : m_keyTimesFromAttribute;
 }
 
 unsigned SVGAnimationElement::calculateKeyTimesIndex(float percent) const
@@ -589,7 +589,7 @@ void SVGAnimationElement::startedActiveInterval()
         if (calcMode == CalcMode::Paced && m_animationValid)
             calculateKeyTimesForCalcModePaced();
     } else if (animationMode == AnimationMode::Path)
-        m_animationValid = calcMode == CalcMode::Paced || !hasAttributeWithoutSynchronization(SVGNames::keyPointsAttr) || (keyTimes.size() > 1 && keyTimes.size() == m_keyPoints.size());
+        m_animationValid = !hasAttributeWithoutSynchronization(SVGNames::keyPointsAttr) || (keyTimes.size() > 1 && keyTimes.size() == m_keyPoints.size());
 }
 
 void SVGAnimationElement::updateAnimation(float percent, unsigned repeatCount)