Large SVG sometimes causes parseerror
Reported by
babata...@gmail.com,
Feb 14 2018
|
|||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3346.0 Safari/537.36
Example URL:
Steps to reproduce the problem:
1. Open "pdf.svg" in the attached "testcase.zip".
What is the expected behavior?
No errors are displayed.
What went wrong?
Sometimes (about once in 30 times) the following error is displayed.
This page contains the following errors:
error on line 1499 at column 129: AttValue: ' expected
Below is a rendering of the page up to the first error.
Does it occur on multiple sites: N/A
Is it a problem with a plugin? No
Did this work before? Yes Version 64.0.3282.167 (Official Build) (64-bit)
Does this work in other browsers? Yes
Chrome version: 66.0.3346.0 Channel: n/a
OS Version: 10.0
Flash Version:
The attached SVG was created from PDF by Inkscape. Similar errors are displayed with different SVG files (at least my private 94KB SVG file created by Adobe Illustrator).
- "AttValue: ' expected"
- "Specification mandates value for attribute stroke-miterlimit"
It seems to be easy to reproduce if the SVG is displayed multiple times in one HTML. "index.html" in "testcase.zip" may help reproduce.
,
Feb 14 2018
"line 1499 ... column 129" seems to be at a 64k boundary, making this look like a buffer boundary issue (w/ the XML parser probably.)
,
Feb 14 2018
Cannot reproduced on 65.0.3325.51(Official Build)beta.
,
Feb 15 2018
I debugged this a bit, and it appears to be a bug in libxml. The reason it only happens sometimes is because it depends on both the size of the input (chunk) passed to the XML parser and the addresses the parser-internal buffers are allocated at (if a new buffer gets a lower address the bug will trigger, but if it gets a higher address it wont.) Because of this, it will be difficult to produce a reproducible test without hooking malloc (which you can do via the libxml APIs.)
,
Mar 2 2018
The issue reproduces on Version 65.0.3325.106 (Official Build) beta (64-bit). I think this is a somewhat critical regression. Is it hard to fix it before reflecting in the stable version?
,
Mar 2 2018
I think the bug in the XML parser has been there for quite some time. It's probably triggering more often now because of changes to buffers sizes in the loading code or something like that. Considering the various factors that seem to be required to trigger this bug, I'd doubt that a fix would be accepted for merge to a soon-to-be stable version. Sorry.
,
Mar 16 2018
,
Mar 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4be2115e0abf80619cbf702d0619520d0c4c868d commit 4be2115e0abf80619cbf702d0619520d0c4c868d Author: Stephen Chenney <schenney@chromium.org> Date: Fri Mar 16 18:30:55 2018 Revert "Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c" This reverts commit c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6. Reason for revert: Breaks content all over the web. Bug: 820163 , 822673 , 820561 , 812148 , 821333 Original change's description: > Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c > > This fixes a number of bugs found on clusterfuzz. > > Change-Id: Id2fa1d96e55be1e0483c135c20c20b90a068f4c3 > Bug: 790944 > Bug: 793715 > Bug: 796804 > Bug: 799707 > Reviewed-on: https://chromium-review.googlesource.com/897220 > Commit-Queue: Joel Hockey <joelhockey@chromium.org> > Reviewed-by: Scott Graham <scottmg@chromium.org> > Cr-Commit-Position: refs/heads/master@{#533953} TBR=dcheng@chromium.org,scottmg@chromium.org,joelhockey@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: 790944 , 793715 , 796804 , 799707 Change-Id: Ic6b934d384229b9cf9092d559b865bbe8f278f38 Reviewed-on: https://chromium-review.googlesource.com/966684 Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Stephen Chenney <schenney@chromium.org> Commit-Queue: Stephen Chenney <schenney@chromium.org> Cr-Commit-Position: refs/heads/master@{#543766} [modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/README.chromium [modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/chromium/chromium-issue-628581.patch [modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/linux/xml2-config [modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/HTMLparser.c [modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/configure.ac [modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/libxml2.spec [modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/parser.c [modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/parserInternals.c [modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/win32/Makefile.msvc [modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/win32/configure.js [delete] https://crrev.com/431c6dbf0a42d0c31c7dccd6553c6c496f1042a0/third_party/libxml/src/win32/libxml2.rc [modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/xmlIO.c
,
Mar 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0f92ca1175c89aec344326778c755ba57ef4d314 commit 0f92ca1175c89aec344326778c755ba57ef4d314 Author: Stephen Chenney <schenney@chromium.org> Date: Fri Mar 16 18:50:19 2018 Revert "Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c" M-65 stable merge. This reverts commit c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6. Reason for revert: Breaks content all over the web. Bug: 820163 , 822673 , 820561 , 812148 , 821333 Original change's description: > Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c > > This fixes a number of bugs found on clusterfuzz. > > Change-Id: Id2fa1d96e55be1e0483c135c20c20b90a068f4c3 > Bug: 790944 > Bug: 793715 > Bug: 796804 > Bug: 799707 > Reviewed-on: https://chromium-review.googlesource.com/897220 > Commit-Queue: Joel Hockey <joelhockey@chromium.org> > Reviewed-by: Scott Graham <scottmg@chromium.org> > Cr-Commit-Position: refs/heads/master@{#533953} TBR=dcheng@chromium.org,scottmg@chromium.org,joelhockey@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: 790944 , 793715 , 796804 , 799707 Change-Id: Ic6b934d384229b9cf9092d559b865bbe8f278f38 Reviewed-on: https://chromium-review.googlesource.com/966684 Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Stephen Chenney <schenney@chromium.org> Commit-Queue: Stephen Chenney <schenney@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#543766}(cherry picked from commit 4be2115e0abf80619cbf702d0619520d0c4c868d) Reviewed-on: https://chromium-review.googlesource.com/967021 Cr-Commit-Position: refs/branch-heads/3325@{#714} Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} [modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/README.chromium [modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/chromium/chromium-issue-628581.patch [modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/linux/xml2-config [modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/HTMLparser.c [modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/configure.ac [modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/libxml2.spec [modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/parser.c [modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/parserInternals.c [modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/win32/Makefile.msvc [modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/win32/configure.js [delete] https://crrev.com/483290671a61fdd75600a7b7f5e4a940ba814e9b/third_party/libxml/src/win32/libxml2.rc [modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/xmlIO.c
,
Mar 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/54a1c705833b375b124b014159dcadda02a80e9b commit 54a1c705833b375b124b014159dcadda02a80e9b Author: Stephen Chenney <schenney@chromium.org> Date: Fri Mar 16 19:00:42 2018 Revert "Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c" This reverts commit c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6. M-66 merge. Reason for revert: Breaks content all over the web. Bug: 820163 , 822673 , 820561 , 812148 , 821333 Original change's description: > Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c > > This fixes a number of bugs found on clusterfuzz. > > Change-Id: Id2fa1d96e55be1e0483c135c20c20b90a068f4c3 > Bug: 790944 > Bug: 793715 > Bug: 796804 > Bug: 799707 > Reviewed-on: https://chromium-review.googlesource.com/897220 > Commit-Queue: Joel Hockey <joelhockey@chromium.org> > Reviewed-by: Scott Graham <scottmg@chromium.org> > Cr-Commit-Position: refs/heads/master@{#533953} TBR=dcheng@chromium.org,scottmg@chromium.org,joelhockey@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: 790944 , 793715 , 796804 , 799707 Change-Id: Ic6b934d384229b9cf9092d559b865bbe8f278f38 Reviewed-on: https://chromium-review.googlesource.com/966684 Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Stephen Chenney <schenney@chromium.org> Commit-Queue: Stephen Chenney <schenney@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#543766}(cherry picked from commit 4be2115e0abf80619cbf702d0619520d0c4c868d) Reviewed-on: https://chromium-review.googlesource.com/966962 Cr-Commit-Position: refs/branch-heads/3359@{#288} Cr-Branched-From: 66afc5e5d10127546cc4b98b9117aff588b5e66b-refs/heads/master@{#540276} [modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/README.chromium [modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/chromium/chromium-issue-628581.patch [modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/linux/xml2-config [modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/HTMLparser.c [modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/configure.ac [modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/libxml2.spec [modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/parser.c [modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/parserInternals.c [modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/win32/Makefile.msvc [modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/win32/configure.js [delete] https://crrev.com/11b924f8c4a7c84bfb46e8df78e7ef8d330dc907/third_party/libxml/src/win32/libxml2.rc [modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/xmlIO.c
,
Mar 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d8901956103e21b8c3461b779e99cd5d7f50f3ad commit d8901956103e21b8c3461b779e99cd5d7f50f3ad Author: Stephen Chenney <schenney@chromium.org> Date: Fri Mar 16 19:19:12 2018 Revert "Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c" This reverts commit c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6. Canary build branch merge. Reason for revert: Breaks content all over the web. Bug: 820163 , 822673 , 820561 , 812148 , 821333 Original change's description: > Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c > > This fixes a number of bugs found on clusterfuzz. > > Change-Id: Id2fa1d96e55be1e0483c135c20c20b90a068f4c3 > Bug: 790944 > Bug: 793715 > Bug: 796804 > Bug: 799707 > Reviewed-on: https://chromium-review.googlesource.com/897220 > Commit-Queue: Joel Hockey <joelhockey@chromium.org> > Reviewed-by: Scott Graham <scottmg@chromium.org> > Cr-Commit-Position: refs/heads/master@{#533953} TBR=dcheng@chromium.org,scottmg@chromium.org,joelhockey@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: 790944 , 793715 , 796804 , 799707 Change-Id: Ic6b934d384229b9cf9092d559b865bbe8f278f38 Reviewed-on: https://chromium-review.googlesource.com/966684 Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Stephen Chenney <schenney@chromium.org> Commit-Queue: Stephen Chenney <schenney@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#543766}(cherry picked from commit 4be2115e0abf80619cbf702d0619520d0c4c868d) Reviewed-on: https://chromium-review.googlesource.com/966690 Cr-Commit-Position: refs/branch-heads/3372@{#1} Cr-Branched-From: ad7f48548867b059f459e13c53bb8e2e96027381-refs/heads/master@{#543592} [modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/README.chromium [modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/chromium/chromium-issue-628581.patch [modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/linux/xml2-config [modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/HTMLparser.c [modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/configure.ac [modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/libxml2.spec [modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/parser.c [modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/parserInternals.c [modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/win32/Makefile.msvc [modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/win32/configure.js [delete] https://crrev.com/ad7f48548867b059f459e13c53bb8e2e96027381/third_party/libxml/src/win32/libxml2.rc [modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/xmlIO.c
,
Mar 19 2018
Tested this issue on the Windows 10, Mac OS 10.12.6 and Ubuntu 14.04 on the reported version 66.0.3346.0 and unable to reproduce the issue by following the below steps. 1. launched Chrome and downloaded the attached zip file. 2. opened the file pdf.svg on Chrome and couldn't observe any errors on the page. Tried to repro the issue many times, but no luck. Hence unable to verify this fix on the latest Canary build 67.0.3375.0. Note: Same CL is associated with issue 820163 and issue 822673 . Issue 822673 looks to be verified on the latest Canary 67.0.3375.0. babatakao@ Request you to update chrome to the latest Canary 67.0.3375.0 and confirm if the issue is fixed. Thanks..
,
Mar 20 2018
I've confirmed that the issue is fixed on 67.0.3375.0. Thank you for fixing :)
,
Mar 20 2018
Thanks for your Feedback..! As per the confirmation given by babatakao in comment#13, the issue seems to be fixed in 67.0.3375.0, hence adding verified labels. Removing "Needs-Feedback".
,
Mar 21 2018
@Stephen Chenney: Could you please help us verifying the fix in latest beta 66.0.3359.45 as we are unable to reproduce the issue(i.e., we could not see any errors while opening the pdf.svg file) on reported chrome version 66.0.3346.0. It would be highly helpful if given a confirmation on the fix. Adding label Needs-Feedback. Thanks!
,
Mar 22 2018
If you see no errors then it's verified. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by babata...@gmail.com
, Feb 14 2018142 KB
142 KB View Download