diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
| commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
| tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /dom/svg/crashtests/long-clipPath-reference-chain.svg | |
| parent | Initial commit. (diff) | |
| download | firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip | |
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
| -rw-r--r-- | dom/svg/crashtests/long-clipPath-reference-chain.svg | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/dom/svg/crashtests/long-clipPath-reference-chain.svg b/dom/svg/crashtests/long-clipPath-reference-chain.svg new file mode 100644 index 0000000000..31a587c740 --- /dev/null +++ b/dom/svg/crashtests/long-clipPath-reference-chain.svg @@ -0,0 +1,53 @@ +<svg xmlns="http://www.w3.org/2000/svg"> + <title>Test very long clipPath chain - MAY CRASH</title> + <script><![CDATA[ + +// This script creates a very long chain of clipPath elements to test whether +// that causes a stack overflow that crashes the UA. The first clipPath clips +// to a 50x100 rect, the last to a 25x100 rect. If a UA was to apply the +// entire clipPath chain (unlikely) a rect 25x100 would be rendered. +// +// At the time of writing, Firefox would treat the entire chain of clipPaths as +// invalid due to its excessive length, and refuse to render the referencing +// element at all. One alternative would be to ignore the clipPath reference +// and render the referencing element without any clipping. Another +// alternative would be to break the chain and clip the referencing element, +// but only using the first X clipPaths in the chain (in which case a 50x100 +// rect would be rendered). + +var chainLength = 100000; + +var SVG_NS = "http://www.w3.org/2000/svg"; +var template = document.createElementNS(SVG_NS, "clipPath"); +var templatesRect = document.createElementNS(SVG_NS, "rect"); +templatesRect.setAttribute("width", "100"); +templatesRect.setAttribute("height", "100"); +template.appendChild(templatesRect); + +function createClipPath(index) { + var cp = template.cloneNode(true); + cp.id = "c" + index; + cp.setAttribute("clip-path", "url(#c" + (index + 1) + ")"); + return cp; +} + +var de = document.documentElement; + +for (var i = chainLength; i > 0; --i) { + var cp = createClipPath(i); + + if (i == chainLength) { + cp.firstChild.setAttribute("width", "25"); + } + else if (i == 1) { + cp.firstChild.setAttribute("width", "50"); + } + + de.appendChild(cp); +} + + ]]></script> + <rect width="100%" height="100%" fill="lime"/> + <!-- We don't expect the following element to render at all --> + <rect width="500" height="500" clip-path="url(#c1)"/> +</svg> |