Bug 1333418 - Don't exceed index of KeyframeValueEntry more than entry's length. r=birtles
authorHiroyuki Ikezoe <hikezoe@mozilla.com>
Mon, 30 Jan 2017 12:51:04 +0900
changeset 378251 df653a73e41432ba67ea7eb65ada4aa84bbf10cb
parent 378250 666a84e3779ad7a6440297a1fad552f1f60c9f97
child 378252 c20c6b11a1dae5bc59a7f2a3c4ab286778f41b41
push id7198
push userjlorenzo@mozilla.com
push dateTue, 18 Apr 2017 12:07:49 +0000
treeherdermozilla-beta@d57aa49c3948 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbirtles
bugs1333418
milestone54.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1333418 - Don't exceed index of KeyframeValueEntry more than entry's length. r=birtles MozReview-Commit-ID: FMmUiWjtLDM
dom/animation/KeyframeUtils.cpp
dom/animation/test/chrome/test_animation_properties.html
dom/animation/test/crashtests/1333418-1.html
dom/animation/test/crashtests/crashtests.list
--- a/dom/animation/KeyframeUtils.cpp
+++ b/dom/animation/KeyframeUtils.cpp
@@ -1342,17 +1342,18 @@ BuildSegmentsFromValueEntries(nsTArray<K
 
     // Starting from i, determine the next [i, j] interval from which to
     // generate a segment.
     size_t j;
     if (aEntries[i].mOffset == 0.0f && aEntries[i + 1].mOffset == 0.0f) {
       // We need to generate an initial zero-length segment.
       MOZ_ASSERT(aEntries[i].mProperty == aEntries[i + 1].mProperty);
       j = i + 1;
-      while (aEntries[j + 1].mOffset == 0.0f &&
+      while (j + 1 < n &&
+             aEntries[j + 1].mOffset == 0.0f &&
              aEntries[j + 1].mProperty == aEntries[j].mProperty) {
         ++j;
       }
     } else if (aEntries[i].mOffset == 1.0f) {
       if (aEntries[i + 1].mOffset == 1.0f &&
           aEntries[i + 1].mProperty == aEntries[i].mProperty) {
         // We need to generate a final zero-length segment.
         j = i + 1;
--- a/dom/animation/test/chrome/test_animation_properties.html
+++ b/dom/animation/test/chrome/test_animation_properties.html
@@ -784,29 +784,59 @@ var gTests = [
   },
   { desc:     'missing properties in both of initial and final keyframe',
     frames:   [ { left: '5px', offset: 0.5 } ],
     expected: [ { property: 'left',
                   values: [ value(0,   undefined, 'add',     'linear'),
                             value(0.5, '5px',       'replace', 'linear'),
                             value(1,   undefined, 'add') ] } ]
   },
-  { desc:     'missing propertes in both of initial and final keyframe along'
+  { desc:     'missing propertes in both of initial and final keyframe along '
               + 'with other values',
     frames:   [ { left:  '5px',  offset: 0 },
                 { right: '5px',  offset: 0.5 },
                 { left:  '10px', offset: 1 } ],
     expected: [ { property: 'left',
                   values: [ value(0, '5px',  'replace', 'linear'),
                             value(1, '10px', 'replace') ] },
                 { property: 'right',
                   values: [ value(0,   undefined, 'add',     'linear'),
                             value(0.5, '5px',     'replace', 'linear'),
                             value(1,   undefined, 'add') ] } ]
   },
+
+  { desc:     'a missing property in final keyframe with duplicate offset ' +
+              + 'along with other values',
+    frames:   [ { left: '5px',  right: '5px', offset: 0 },
+                { left: '8px',  right: '8px', offset: 0 },
+                { left: '10px',               offset: 1 } ],
+    expected: [ { property: 'left',
+                  values: [ value(0, '5px',  'replace'),
+                            value(0, '8px',  'replace', 'linear'),
+                            value(1, '10px', 'replace') ] },
+                { property: 'right',
+                  values: [ value(0, '5px',     'replace'),
+                            value(0, '8px',     'replace', 'linear'),
+                            value(1, undefined, 'add') ] } ]
+  },
+
+  { desc:     'a missing property in initial keyframe with duplicate offset '
+              + 'along with other values',
+    frames:   [ { left: '10px',              offset: 0 },
+                { left: '8px', right: '8px', offset: 1 },
+                { left: '5px', right: '5px', offset: 1 } ],
+    expected: [ { property: 'left',
+                  values: [ value(0, '10px', 'replace', 'linear'),
+                            value(1, '8px',  'replace'),
+                            value(1, '5px',  'replace') ] },
+                { property: 'right',
+                  values: [ value(0, undefined, 'add', 'linear'),
+                            value(1, '8px',     'replace'),
+                            value(1, '5px',     'replace') ] } ]
+  },
 ];
 
 SpecialPowers.pushPrefEnv(
   { set: [["dom.animations-api.core.enabled", true]] },
   function() {
     gTests.forEach(function(subtest) {
       test(function(t) {
         var div = addDiv(t);
new file mode 100644
--- /dev/null
+++ b/dom/animation/test/crashtests/1333418-1.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<script>
+window.onload = function(){
+  let body = document.getElementsByTagName("body")[0];
+  let o = new KeyframeEffect(body, [
+    { "perspective": "none", "width": "auto" },
+    { "perspective": "172.17866832in", "width": "auto" },
+    { "perspective": "0" }],
+    { spacing:"paced(perspective)" }
+  );
+};
+</script>
+</head>
+<body></body>
+</html>
--- a/dom/animation/test/crashtests/crashtests.list
+++ b/dom/animation/test/crashtests/crashtests.list
@@ -16,8 +16,9 @@ pref(dom.animations-api.core.enabled,tru
 skip-if(stylo) pref(dom.animations-api.core.enabled,true) load 1322291-1.html # bug 1311257
 skip-if(stylo) pref(dom.animations-api.core.enabled,true) load 1322291-2.html # bug 1311257 and bug 1311257
 skip-if(stylo) pref(dom.animations-api.core.enabled,true) load 1323114-1.html # bug 1324690 and bug 1311257
 skip-if(stylo) pref(dom.animations-api.core.enabled,true) load 1323114-2.html # bug 1324690
 skip-if(stylo) pref(dom.animations-api.core.enabled,true) load 1325193-1.html # bug 1311257
 skip-if(stylo) pref(dom.animations-api.core.enabled,true) load 1330190-1.html # bug 1311257
 skip-if(stylo) pref(dom.animations-api.core.enabled,true) load 1330190-2.html # bug 1311257
 skip-if(stylo) pref(dom.animations-api.core.enabled,true) load 1330513-1.html # bug 1311257
+skip-if(stylo) pref(dom.animations-api.core.enabled,true) load 1333418-1.html # bug 1311257