LadybirdBrowser/ladybird
1
1
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-09-11 05:25:32 +03:00
Code Issues Packages Projects Releases Wiki Activity

LibWeb/SVG: Ensure SVG transform has an inverse before using it

Browse Source 
This avoids a crash that occurred when calling `getBBox()` on an SVG
element that had a transform with no inverse.

Found by Domato.
This commit is contained in:
Tim Ledbetter 2024-07-21 23:29:06 +01:00 committed by Andreas Kling
parent 4cdafea363
commit d417b75683
Notes: github-actions[bot] 2024-07-22 07:14:16 +00:00 
Author: https://github.com/tcl3
Commit: https://github.com/LadybirdBrowser/ladybird/commit/d417b756836
Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/758
3 changed files with 17 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Tests/LibWeb/Text/expected/SVG/svg-getbbox-transform-with-no-inverse.txt Normal file
View File

@ -0,0 +1 @@
PASS (didn't crash)

12
Tests/LibWeb/Text/input/SVG/svg-getbbox-transform-with-no-inverse.html Normal file
View File

@ -0,0 +1,12 @@
<!DOCTYPE html>
<script src="../include.js"></script>
<svg xmlns="http://www.w3.org/2000/svg">
<rect id="rectElement" x="0" y="0" width="100" height="100" transform="scale(0)" />
</svg>
<script>
test(() => {
const rectElement = document.getElementById("rectElement");
rectElement.getBBox();
println("PASS (didn't crash)");
});
</script>

7
Userland/Libraries/LibWeb/SVG/SVGGraphicsElement.cpp
View File

@ -273,9 +273,10 @@ JS::NonnullGCPtr<Geometry::DOMRect> SVGGraphicsElement::get_b_box(Optional<SVGBo
// Invert the SVG -> screen space transform.
auto svg_element_rect = shadow_including_first_ancestor_of_type<SVG::SVGSVGElement>()->paintable_box()->absolute_rect();
auto inverse_transform = static_cast<Painting::SVGGraphicsPaintable&>(*paintable_box()).computed_transforms().svg_to_css_pixels_transform().inverse();
return Geometry::DOMRect::create(realm(),
inverse_transform->map(
paintable_box()->absolute_rect().to_type<float>().translated(-svg_element_rect.location().to_type<float>())));
auto translated_rect = paintable_box()->absolute_rect().to_type<float>().translated(-svg_element_rect.location().to_type<float>());
if (inverse_transform.has_value())
translated_rect = inverse_transform->map(translated_rect);
return Geometry::DOMRect::create(realm(), translated_rect);
}
JS::NonnullGCPtr<SVGAnimatedTransformList> SVGGraphicsElement::transform() const