haikuwebkit/LayoutTests/svg/filters/svg-deeply-nested-crash.html

<!DOCTYPE html>
<script>
function addFilterEffects(filterId, count) {
  // inserts a new tree of 'count' feGaussianBlur effects to 
  // the filter whose id = 'filterId'
  var filter = document.getElementById(filterId);
  for (var i = 0; i < count; i++) {
    var feElement = document.createElementNS("http://www.w3.org/2000/svg", "feGaussianBlur");
	// Make the first effect be the root of the tree
    if (i == 0) {
	    feElement.setAttribute("in", "SourceGraphic");
	}
    feElement.setAttribute("stdDeviation", "1.0");
    filter.appendChild(feElement);
  }
}
if (window.testRunner)
    testRunner.dumpAsText();
window.addEventListener("load", function () {
  // will be ignored: # of effects in the filter map > 200
  addFilterEffects("Ignored200", 100000);
  // will be ignored: # of effects connected to lastEffect > 100
  addFilterEffects("Ignored100", 50);
  addFilterEffects("Ignored100", 149);
  // will be used: # of effects in the filter map == 200 but  # of effects connected to lastEffect < 100
  addFilterEffects("TripleBlur", 196);
  addFilterEffects("TripleBlur", 3);
}, false);
</script>
<svg width="500" height="300" xmlns="http://www.w3.org/2000/svg">
<defs>
  <filter id="Ignored200">
  </filter>
  <filter id="Ignored100">
  </filter>
  <filter id="TripleBlur">
  </filter>
  <filter id="ShiftAndBlur">
    <feOffset dx="10" dy="10" />
    <feGaussianBlur stdDeviation="8.0" />
  </filter>
</defs>
<rect fill="red" x="10px" y="10px" width="20px" height="20px" filter="url(#Ignored200)"/>
<rect fill="yellow" x="10px" y="10px" width="20px" height="20px" filter="url(#Ignored100)"/>
<rect fill="blue" x="10px" y="10px" width="20px" height="20px" filter="url(#TripleBlur)"/>
<circle fill="green" cx="100" cy="100" r="100"filter="url(#ShiftAndBlur)" />
<text transform="translate(210,210)">
  PASS
</text>
</svg>
Source/WebCore: Stack overflow with enormous SVG filter https://bugs.webkit.org/show_bug.cgi?id=63290 Prevent building an SVG filter if it has more than 200 FilterEffect nodes in its map regardless whether they will be connected to its lastEffect or not. Also discard any filter which has more 100 contributing FilterEffect nodes in its tree. Patch by Said Abou-Hallawa <sabouhallawa@apple.com> on 2014-09-30 Reviewed by Dean Jackson. Tests: svg/filters/svg-deeply-nested-crash.html * platform/graphics/filters/FilterEffect.cpp: (WebCore::collectEffects): (WebCore::FilterEffect::totalNumberOfEffectInputs): * platform/graphics/filters/FilterEffect.h: -- Add a method to return the total number of input FilterEffect's contributing to a FilterEffect. * rendering/svg/RenderSVGResourceFilter.cpp: (WebCore::RenderSVGResourceFilter::buildPrimitives): -- Do not build a filter if it has more than 200 FilterEffects in its map. (WebCore::RenderSVGResourceFilter::applyResource): -- Discard a filter after it was built if it has more than 100 FilterEffects in its tree. LayoutTests: Stack overflow with enormous SVG filter. https://bugs.webkit.org/show_bug.cgi?id=63290. Patch by Said Abou-Hallawa <sabouhallawa@apple.com> on 2014-09-30 Reviewed by Dean Jackson. Test if an SVG filter with deeply nested tree of FilterEffects can be loaded with no crash. Make sure other valid filters can still be referenced by SVG drawing elements. An SVG Filter will be ignored if the number of effects in its map is greater than 200 or the total number of effects connected to its last effect is greater than 100. * svg/filters/svg-deeply-nested-crash-expected.txt: Added. * svg/filters/svg-deeply-nested-crash.html: Added. Canonical link: https://commits.webkit.org/155080@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@174137 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2014-10-01 00:14:03 +00:00			`<!DOCTYPE html>`
			`<script>`
			`function addFilterEffects(filterId, count) {`
			`// inserts a new tree of 'count' feGaussianBlur effects to`
			`// the filter whose id = 'filterId'`
			`var filter = document.getElementById(filterId);`
			`for (var i = 0; i < count; i++) {`
			`var feElement = document.createElementNS("http://www.w3.org/2000/svg", "feGaussianBlur");`
			`// Make the first effect be the root of the tree`
			`if (i == 0) {`
			`feElement.setAttribute("in", "SourceGraphic");`
			`}`
			`feElement.setAttribute("stdDeviation", "1.0");`
			`filter.appendChild(feElement);`
			`}`
			`}`
			`if (window.testRunner)`
			`testRunner.dumpAsText();`
			`window.addEventListener("load", function () {`
			`// will be ignored: # of effects in the filter map > 200`
			`addFilterEffects("Ignored200", 100000);`
			`// will be ignored: # of effects connected to lastEffect > 100`
			`addFilterEffects("Ignored100", 50);`
			`addFilterEffects("Ignored100", 149);`
			`// will be used: # of effects in the filter map == 200 but # of effects connected to lastEffect < 100`
			`addFilterEffects("TripleBlur", 196);`
			`addFilterEffects("TripleBlur", 3);`
			`}, false);`
			`</script>`
			`<svg width="500" height="300" xmlns="http://www.w3.org/2000/svg">`
			`<defs>`
			`<filter id="Ignored200">`
			`</filter>`
			`<filter id="Ignored100">`
			`</filter>`
			`<filter id="TripleBlur">`
			`</filter>`
			`<filter id="ShiftAndBlur">`
			`<feOffset dx="10" dy="10" />`
			`<feGaussianBlur stdDeviation="8.0" />`
			`</filter>`
			`</defs>`
			`<rect fill="red" x="10px" y="10px" width="20px" height="20px" filter="url(#Ignored200)"/>`
			`<rect fill="yellow" x="10px" y="10px" width="20px" height="20px" filter="url(#Ignored100)"/>`
			`<rect fill="blue" x="10px" y="10px" width="20px" height="20px" filter="url(#TripleBlur)"/>`
			`<circle fill="green" cx="100" cy="100" r="100"filter="url(#ShiftAndBlur)" />`
			`<text transform="translate(210,210)">`
			`PASS`
			`</text>`
			`</svg>`