Skip to content

Commit

Permalink
LibWeb/SVG: Ensure SVG transform has an inverse before using it
Browse files Browse the repository at this point in the history 
This avoids a crash that occurred when calling `getBBox()` on an SVG
element that had a transform with no inverse.

Found by Domato.
  • Loading branch information
@tcl3
tcl3 committed Jul 21, 2024
1 parent d5ddc8e commit 9714d67
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 3 deletions.
1 change: 1 addition & 0 deletions Tests/LibWeb/Text/expected/SVG/svg-getbbox-transform-with-no-inverse.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
PASS (didn't crash)
12 changes: 12 additions & 0 deletions Tests/LibWeb/Text/input/SVG/svg-getbbox-transform-with-no-inverse.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
<!DOCTYPE html>
<script src="../include.js"></script>
<svg xmlns="http://www.w3.org/2000/svg">
<rect id="rectElement" x="0" y="0" width="100" height="100" transform="scale(0)" />
</svg>
<script>
test(() => {
const rectElement = document.getElementById("rectElement");
rectElement.getBBox();
println("PASS (didn't crash)");
});
</script>
7 changes: 4 additions & 3 deletions Userland/Libraries/LibWeb/SVG/SVGGraphicsElement.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -273,9 +273,10 @@ JS::NonnullGCPtr<Geometry::DOMRect> SVGGraphicsElement::get_b_box(Optional<SVGBo
// Invert the SVG -> screen space transform.
auto svg_element_rect = shadow_including_first_ancestor_of_type<SVG::SVGSVGElement>()->paintable_box()->absolute_rect();
auto inverse_transform = static_cast<Painting::SVGGraphicsPaintable&>(*paintable_box()).computed_transforms().svg_to_css_pixels_transform().inverse();
return Geometry::DOMRect::create(realm(),
inverse_transform->map(
paintable_box()->absolute_rect().to_type<float>().translated(-svg_element_rect.location().to_type<float>())));
auto translated_rect = paintable_box()->absolute_rect().to_type<float>().translated(-svg_element_rect.location().to_type<float>());
if (inverse_transform.has_value())
translated_rect = inverse_transform->map(translated_rect);
return Geometry::DOMRect::create(realm(), translated_rect);
}

JS::NonnullGCPtr<SVGAnimatedTransformList> SVGGraphicsElement::transform() const
Expand Down

0 comments on commit 9714d67

Please sign in to comment.