major image scaling bug

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

major image scaling bug

Andreas Neumann
Hi Mozilla-SVG developers!

I recently stumbled across a bug when raster images are embedded into
SVG files. If one sets the width/height attributes unproportionally,
the image is still always scaled proportionally, which is wrong.

Testcase:
http://www.carto.net/neumann/temp/imagescaling_test.svg

the images should appear unproportionally scaled, but appears
proportionally scaled.

I tested it with Firefox 1.5 RC3.

I saw that a bug on this was already opened
(https://bugzilla.mozilla.org/show_bug.cgi?id=309173), but the status
is still unconfirmed:

Are you aware of this bug? I think it is major bug, but probably easy
to fix. Will you be able to make the fix into 1.5 final release?

Thanks a lot for your help,
Andreas

_______________________________________________
Mozilla-svg mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-svg
Reply | Threaded
Open this post in threaded view
|

Re: major image scaling bug

Jonathan Watt-2
Hi Andreas,

Andreas Neumann wrote:
> Hi Mozilla-SVG developers!
>
> I recently stumbled across a bug when raster images are embedded into
> SVG files. If one sets the width/height attributes unproportionally,
> the image is still always scaled proportionally, which is wrong.

Actually it's right. The default value of the preserveAspectRatio attribute is
'xMidYMid meet', so if you don't want to preserve the aspect ratio you have to
specify preserveAspectRatio="none".

> Testcase:
> http://www.carto.net/neumann/temp/imagescaling_test.svg
>
> the images should appear unproportionally scaled, but appears
> proportionally scaled.
>
> I tested it with Firefox 1.5 RC3.
>
> I saw that a bug on this was already opened
> (https://bugzilla.mozilla.org/show_bug.cgi?id=309173), but the status
> is still unconfirmed:

I'll comment there too.

> Are you aware of this bug? I think it is major bug, but probably easy
> to fix. Will you be able to make the fix into 1.5 final release?

No more SVG fixes will be made before FF1.5 is released. The only possible
exceptions would be if a *major* security hole was found, and even then the
powers that be would more likely turn SVG off than take a fix this late in the game.

-Jonathan
_______________________________________________
Mozilla-svg mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-svg
Reply | Threaded
Open this post in threaded view
|

Re: major image scaling bug

Jim Ley
On Wed, 23 Nov 2005 11:46:20 +0000, Jonathan Watt
<[hidden email]> wrote:

>No more SVG fixes will be made before FF1.5 is released. The only possible
>exceptions would be if a *major* security hole was found, and even then the
>powers that be would more likely turn SVG off than take a fix this late in the game.

Does this mean it's mozilla policy to release with security holes
other than *major* ones still within in the product?

Jim.
_______________________________________________
Mozilla-svg mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-svg
Reply | Threaded
Open this post in threaded view
|

Re: major image scaling bug

Jonathan Watt-2
Jim Ley wrote:

> On Wed, 23 Nov 2005 11:46:20 +0000, Jonathan Watt
> <[hidden email]> wrote:
>
>> No more SVG fixes will be made before FF1.5 is released. The only possible
>> exceptions would be if a *major* security hole was found, and even then the
>> powers that be would more likely turn SVG off than take a fix this late in the game.
>
> Does this mean it's mozilla policy to release with security holes
> other than *major* ones still within in the product?
>
> Jim.

No, as you know that's not what I meant. For the record, I'm not a policy maker,
and I'm not part of the group that decides which security holes need to be patched.

-Jonathan
_______________________________________________
Mozilla-svg mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-svg
Reply | Threaded
Open this post in threaded view
|

Re: major image scaling bug

Jim Ley
On Wed, 23 Nov 2005 12:16:26 +0000, Jonathan Watt
<[hidden email]> wrote:

> I'm not part of the group that decides which security holes need to be patched.

That sounds like a tough job,

<BILL> What security holes shall we patch?
<BEN> All of 'em?
<BILL> sounds good, Beer?
...

Jim.
_______________________________________________
Mozilla-svg mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-svg
Reply | Threaded
Open this post in threaded view
|

Re: major image scaling bug

Jonathan Watt-2
Jim Ley wrote:

> On Wed, 23 Nov 2005 12:16:26 +0000, Jonathan Watt
> <[hidden email]> wrote:
>
>> I'm not part of the group that decides which security holes need to be patched.
>
> That sounds like a tough job,
>
> <BILL> What security holes shall we patch?
> <BEN> All of 'em?
> <BILL> sounds good, Beer?
> ...
>
> Jim.

I meant to quote "security holes".
_______________________________________________
Mozilla-svg mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-svg
Reply | Threaded
Open this post in threaded view
|

Re: major image scaling bug

Andreas Neumann
In reply to this post by Jonathan Watt-2
ok,

Jonathan, I apologize for being misinformed what the spec says.

In that case ASV and Opera9 are wrong and I have to forward the bug to
them.

Sorry for the fuss, it works fine if I add preserveAspectRatio="none".

Andreas

_______________________________________________
Mozilla-svg mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-svg
Reply | Threaded
Open this post in threaded view
|

Re: major image scaling bug

Jonathan Watt-2
Hi Andreas,

Andreas Neumann wrote:
> ok,
>
> Jonathan, I apologize for being misinformed what the spec says.

No need. As we all know the spec is huge and can be difficult to understand.

> In that case ASV and Opera9 are wrong and I have to forward the bug to
> them.
>
> Sorry for the fuss, it works fine if I add preserveAspectRatio="none".

Great. Thanks for the report anyway. We'd rather hear about possible bugs than
have them slip through the net, and when you're unsure about whether something's
a bug or not the newsgroup is a good place to ask. :-)

-Jonathan
_______________________________________________
Mozilla-svg mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-svg
Reply | Threaded
Open this post in threaded view
|

Re: major image scaling bug

Boris Zbarsky
In reply to this post by Jim Ley
Jim Ley wrote:
> <BILL> What security holes shall we patch?
> <BEN> All of 'em?
> <BILL> sounds good, Beer?

Well.  A real conversation is more like:

<BILL> Is this bug a security hole?
<BEN> Well, I don't know.  We know it's a crash, but we have no idea why it's
happening and we've never caught it in a debugger.  All we have is the automated
  talkback data that indicates users are hitting it.  From looking at the stack
and the code around the line where we crash, it looks likely that this is just a
null pointer dereference, which would not be a security hole.  But there are
other things that can cause crashes that might be exploitable.
<BILL> Well, should we hold the release until we get this reproduced and
diagnosed, if that ever happens?

Or like:

<BILL> Is this bug a security hole?
<BOB> Well, I suppose given the right conjunction of factors, including a quite
unlikely DNS resolver configuration and some odd actions on the part of the user
  we could end up being confused about what sites are which.  But it's not
obvious to me what we can do about it, given the information DNS gives us, and
frankly it seems to me that this is more of a bug in said DNS resolver
configuration.
<BILL> Well, should we hold the release until we come up with something to deal
with this?

The point being that the hard part is telling whether a bug is a security hole
at all, not so much whether to fix it once you know it's a security hole.

-Boris
_______________________________________________
Mozilla-svg mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-svg
Reply | Threaded
Open this post in threaded view
|

Re: major image scaling bug

Jim Ley
On Wed, 23 Nov 2005 07:55:39 -0600, Boris Zbarsky <[hidden email]>
wrote:

>Jim Ley wrote:
>> <BILL> What security holes shall we patch?
>> <BEN> All of 'em?
>> <BILL> sounds good, Beer?
>
>Well.  A real conversation is more like:

It wasn't intended to be a serious comment, neither was the original
one of course...

Thanks for clarifying for the google people though.

Cheers,

Jim.
_______________________________________________
Mozilla-svg mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-svg