Bug 1329849 - In SVG filter lighting code, bail out if kernelUnitLength is negative or zero. r=dholbert
authorvincentliu <vliu@mozilla.com>
Thu, 19 Jan 2017 21:07:25 +0800
changeset 377396 30f65ce798246377f94798a4fa88c102e9224680
parent 377395 80e4fe7ff7cb78b5774caa19f9c340132a06202b
child 377397 3bb7c631c0d6888dda43c8eafa5616991d5a2cb8
push id1419
push userjlund@mozilla.com
push dateMon, 10 Apr 2017 20:44:07 +0000
treeherdermozilla-release@5e6801b73ef6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdholbert
bugs1329849
milestone53.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1329849 - In SVG filter lighting code, bail out if kernelUnitLength is negative or zero. r=dholbert
dom/svg/nsSVGFilters.cpp
gfx/2d/FilterNodeSoftware.cpp
--- a/dom/svg/nsSVGFilters.cpp
+++ b/dom/svg/nsSVGFilters.cpp
@@ -512,16 +512,22 @@ nsSVGFELightingElement::AddLightingAttri
 
   nsStyleContext* style = frame->StyleContext();
   Color color(Color::FromABGR(style->StyleSVGReset()->mLightingColor));
   color.a = 1.f;
   float surfaceScale = mNumberAttributes[SURFACE_SCALE].GetAnimValue();
   Size kernelUnitLength =
     GetKernelUnitLength(aInstance, &mNumberPairAttributes[KERNEL_UNIT_LENGTH]);
 
+  if (kernelUnitLength.width <= 0 || kernelUnitLength.height <= 0) {
+    // According to spec, A negative or zero value is an error. See link below for details.
+    // https://www.w3.org/TR/SVG/filters.html#feSpecularLightingKernelUnitLengthAttribute
+    return FilterPrimitiveDescription(PrimitiveType::Empty);
+  }
+
   FilterPrimitiveDescription& descr = aDescription;
   descr.Attributes().Set(eLightingLight, ComputeLightAttributes(aInstance));
   descr.Attributes().Set(eLightingSurfaceScale, surfaceScale);
   descr.Attributes().Set(eLightingKernelUnitLength, kernelUnitLength);
   descr.Attributes().Set(eLightingColor, color);
   return descr;
 }
 
--- a/gfx/2d/FilterNodeSoftware.cpp
+++ b/gfx/2d/FilterNodeSoftware.cpp
@@ -3477,16 +3477,19 @@ FilterNodeLightingSoftware<LightType, Li
 }
 
 template<typename LightType, typename LightingType> template<typename CoordType>
 already_AddRefed<DataSourceSurface>
 FilterNodeLightingSoftware<LightType, LightingType>::DoRender(const IntRect& aRect,
                                                               CoordType aKernelUnitLengthX,
                                                               CoordType aKernelUnitLengthY)
 {
+  MOZ_ASSERT(aKernelUnitLengthX > 0, "aKernelUnitLengthX can be a negative or zero value");
+  MOZ_ASSERT(aKernelUnitLengthY > 0, "aKernelUnitLengthY can be a negative or zero value");
+
   IntRect srcRect = aRect;
   IntSize size = aRect.Size();
   srcRect.Inflate(ceil(float(aKernelUnitLengthX)),
                   ceil(float(aKernelUnitLengthY)));
 
   // Inflate the source rect by another pixel because the bilinear filtering in
   // ColorComponentAtPoint may want to access the margins.
   srcRect.Inflate(1);