diff options
| author | Andreas Kling <kling@serenityos.org> | 2023-05-19 15:14:34 +0200 |
|---|---|---|
| committer | Andreas Kling <kling@serenityos.org> | 2023-05-19 15:41:34 +0200 |
| commit | 6f204f8c32ca14ed337a1ff946c637330921e71e (patch) | |
| tree | 5b6be9f2520390c609fb0a853a60d8a9b2e06df0 | |
| parent | 411b28fc592118a38b0a3aeb95b1fe0a05006aa9 (diff) | |
| download | serenity-6f204f8c32ca14ed337a1ff946c637330921e71e.zip | |
LibWeb: Fix null dereference on SVG element with bogus fill URL
Fixes a crash seen on YouTube channel pages.
3 files changed, 15 insertions, 5 deletions
diff --git a/Tests/LibWeb/Layout/expected/svg/svg-fill-with-bogus-url.txt b/Tests/LibWeb/Layout/expected/svg/svg-fill-with-bogus-url.txt new file mode 100644 index 0000000000..6dddd2e8da --- /dev/null +++ b/Tests/LibWeb/Layout/expected/svg/svg-fill-with-bogus-url.txt @@ -0,0 +1,7 @@ +Viewport <#document> at (0,0) content-size 800x600 children: not-inline + BlockContainer <html> at (0,0) content-size 800x37.835937 [BFC] children: not-inline + BlockContainer <body> at (8,8) content-size 784x21.835937 children: inline + line 0 width: 0, height: 21.835937, bottom: 21.835937, baseline: 100 + frag 0 from SVGSVGBox start: 0, length: 0, rect: [8,8 0x0] + SVGSVGBox <svg> at (8,8) content-size 0x0 [SVG] children: not-inline + SVGGeometryBox <rect> at (8,8) content-size 100x100 children: not-inline diff --git a/Tests/LibWeb/Layout/input/svg/svg-fill-with-bogus-url.html b/Tests/LibWeb/Layout/input/svg/svg-fill-with-bogus-url.html new file mode 100644 index 0000000000..c9ab126e43 --- /dev/null +++ b/Tests/LibWeb/Layout/input/svg/svg-fill-with-bogus-url.html @@ -0,0 +1,3 @@ +<!doctype html><style> +* { font: 20px SerenitySans; } +</style><svg viewBox="0 0 100 100"><rect x=0 y=0 width=100 height=100 fill="url(#bogus)"></svg>
\ No newline at end of file diff --git a/Userland/Libraries/LibWeb/SVG/SVGGraphicsElement.cpp b/Userland/Libraries/LibWeb/SVG/SVGGraphicsElement.cpp index d62b2f97c4..3fbd746421 100644 --- a/Userland/Libraries/LibWeb/SVG/SVGGraphicsElement.cpp +++ b/Userland/Libraries/LibWeb/SVG/SVGGraphicsElement.cpp @@ -51,11 +51,11 @@ Optional<Gfx::PaintStyle const&> SVGGraphicsElement::fill_paint_style(SVGPaintCo if (!fill.has_value() || !fill->is_url()) return {}; auto& url = fill->as_url(); - auto maybe_gradient = document().get_element_by_id(url.fragment()); - if (is<SVG::SVGGradientElement>(*maybe_gradient)) { - auto& gradient = verify_cast<SVG::SVGGradientElement>(*maybe_gradient); - return gradient.to_gfx_paint_style(paint_context); - } + auto gradient = document().get_element_by_id(url.fragment()); + if (!gradient) + return {}; + if (is<SVG::SVGGradientElement>(*gradient)) + return static_cast<SVG::SVGGradientElement const&>(*gradient).to_gfx_paint_style(paint_context); return {}; } |