[13] SVG RenderSVGShape Null Dereference in isPointInStroke
Severity: Low | Component: WebCore SVG rendering | 389fcd9
Rated Low because the observable effect is a reliable null dereference (renderer crash) with no commit-backed evidence of memory corruption — null-page protections on modern platforms prevent escalation beyond denial of service.
Patch Details
In both RenderSVGShape::shapeDependentStrokeContains and LegacyRenderSVGShape::shapeDependentStrokeContains, the patch replaces the unconditional m_path-> dereference in the LocalCoordinateSpace fallback path with ensurePath().strokeContains(...), which lazily creates the path if null.
Source/WebCore/rendering/svg/RenderSVGShape.cpp
bool RenderSVGShape::shapeDependentStrokeContains(const FloatPoint& point, PointCoordinateSpace pointCoordinateSpace)
{
- ASSERT(m_path);
-
if (hasNonScalingStroke() && pointCoordinateSpace != LocalCoordinateSpace) {
+ ASSERT(m_path);
AffineTransform nonScalingTransform = nonScalingStrokeTransform();
Path* usePath = nonScalingStrokePath(m_path.get(), nonScalingTransform);
return usePath->strokeContains(nonScalingTransform.mapPoint(point), [this] (GraphicsContext& context) {
@@ ...
}
- return m_path->strokeContains(point, [this] (GraphicsContext& context) {
+ return ensurePath().strokeContains(point, [this] (GraphicsContext& context) {
SVGRenderSupport::applyStrokeStyleToContext(context, style(), *this);
});
}
LayoutTests/svg/dom/SVGGeometry-isPointInStroke-with-null-path.html
+<svg style="stroke: black; display: table-caption">
+ <polygon id="polygon"></polygon>
+</svg>
+<script>
+ document.getElementById("polygon").isPointInStroke();
+</script>
Missing null guard on a lazily-initialized path object before dereference in a JS-reachable SVG hit-testing API.
Background
SVG geometry elements (<path>, <polygon>, <circle>, etc.) expose the isPointInStroke() method via the SVGGeometryElement interface, performing hit-testing against the element's stroked outline. Internally, WebKit represents the element's geometric shape via an m_path member (std::unique_ptr<Path>), which is lazily initialized during layout. ensurePath() is an accessor that creates the path on demand if it does not yet exist.
Analysis
When isPointInStroke() is called from JavaScript on an SVG geometry element whose path has not been computed (e.g., an empty <polygon> with no points), m_path is null. The call reaches shapeDependentStrokeContains via isPointInStroke() with LocalCoordinateSpace, bypasses the non-scaling-stroke branch, and dereferences the null m_path pointer directly.
Aa Aaaaaa Aaaaaaaaa Aaaa Aaaaaaaaa Aaaaaaaaaaaa Aaaa Aaaaaa Aaaaaaaaaaa Aaa Aaaaaa Aa Aaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaa Aa a Aaaaaaaa Aaaaaaaa Aaaaa Aaaaaaa Aa Aaaaaaaa Aaa Aaaaaaa Aaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaaaaaaa Aaaaaaa Aaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaa Aaa Aa Aaaaaaaaa Aaaa Aaa Aaa Aaaa Aaa Aaaaaaaaaa Aa Aa Aaa Aaaaaaaa Aaaaaaaa
Aaaa Aa a Aaaaaa Aaaaaaa Aa Aaa Aaaaaaaaaaaaaaa Aaaaaaaaa Aaaaa Aaaaa Aa Aaaaaa Aaaaaaaaaaaa Aaa Aaaa Aaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaa Aaa Aaaaaaa Aa Aaa Aaaa Aaaa Aaa Aaa Aaa Aaaaaa Aaaaa Aaaa Aaa Aaaaaa Aaaaaaaaaaaaaaaaaa Aaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaaaaa Aaa Aaa Aaaaaaaaa Aaaa Aaaaaaaaaa Aaaaa Aaa Aaaa Aaaaa Aaa Aaaaaaaaaa Aa Aaaaaaaa Aaa Aaaaa Aa Aaa Aaaa Aa Aaaaaaaa Aa Aaa Aaaaaa
🔒Explores the reachability and exploitation potential of this crash beyond simple denial of service
Subscribe to read more
Audit directions
a Aaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaa Aa Aaaa Aaaa Aaaaa Aaa Aaa Aaaaaa Aaaaa Aaaaa Aaaaaaa Aa Aaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaa Aaaaaaaa a Aaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaa a Aa Aaaaaa Aaaa Aaaaaa Aaaaaaaaaaaaaaaaa Aa Aaaa Aaaaaaaaaaaaaaa Aaaa Aaa Aaaaaaaaaa Aa Aaaa Aaaaaa
a Aaaaaaaaaaaaaa Aaa Aaa Aaaa Aaaa Aaaaaaa Aaaaaaaaa Aaaaaaaaa Aaaaaa Aaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaa Aaaa Aaaa Aaaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaa Aaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaa Aaaaaaaaa Aaaaaaaaaaaa
a Aaaaaaaaaa Aaaaaa Aaa Aaaaaa Aaa Aaaaaaaaa Aaaaaaaa Aaaa a Aaa Aa Aaaaaaa Aa Aaaaaaaaaaaaaaaaa Aaaaaa Aaa Aaaa Aaa Aa Aaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaa Aaa Aaaa Aaaaaa
🔒Multiple variant discovery patterns identified across SVG rendering APIs and parallel code paths
Subscribe to read more