Crash in SVGGeometryElement::isPointInFill

https://bugs.webkit.org/show_bug.cgi?id=265802 rdar://119142303 Reviewed by Ryosuke Niwa. Check for empty objects. * LayoutTests/fast/svg/isPointInFill-without-path-expected.txt: Added. * LayoutTests/fast/svg/isPointInFill-without-path.html: Added. * Source/WebCore/rendering/svg/legacy/LegacyRenderSVGShape.cpp: (WebCore::LegacyRenderSVGShape::shapeDependentFillContains const): Canonical link: https://commits.webkit.org/273494@main
WebKit · Jan 25, 2024 · 89b5637 · 89b5637
1 parent 268bc37
commit 89b5637
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 0 deletions.
diff --git a/LayoutTests/fast/svg/isPointInFill-without-path-expected.txt b/LayoutTests/fast/svg/isPointInFill-without-path-expected.txt
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Error: Invalid value for <rect> attribute y="1 -1 62"
+CONSOLE MESSAGE: Error: Invalid negative value for <rect> attribute width="-1cm"
+ALERT: This test passes if it does not crash
+
diff --git a/LayoutTests/fast/svg/isPointInFill-without-path.html b/LayoutTests/fast/svg/isPointInFill-without-path.html
@@ -0,0 +1,10 @@
+<script>
+if (window.testRunner) { testRunner.dumpAsText() }
+function checkPointInFill() {
+    var result = rectElement.isPointInFill();
+    alert("This test passes if it does not crash");
+}
+</script>
+<body onload=checkPointInFill()>
+<svg id="svgElement" transform="skewY(0)" style="font-variant-caps: titling-case; rotation: 0deg; text-decoration-upright: all none; box-ordinal-group: 1; grid-template: none/-1px" xml:space="default" baseProfile="full" xml:space="preserve" preserveAlpha="true" points="1,1 12,0" x="1em" role="button" role="button">
+<rect id="rectElement" x="20em" y="1 -1 62" width="-1cm" height="1cm" font-size="4px" transform="skewX(-1) skewX(6)" fill="url(#doesnotexist) currentColor" clip-path="url(#svgElement)" repeatDur="4s" vert-origin-y="10" onclick="eventhandler4()" refX="56" fx="1" />
diff --git a/Source/WebCore/rendering/svg/RenderSVGRect.cpp b/Source/WebCore/rendering/svg/RenderSVGRect.cpp
@@ -190,6 +190,8 @@ bool RenderSVGRect::shapeDependentStrokeContains(const FloatPoint& point, PointC
 
 bool RenderSVGRect::shapeDependentFillContains(const FloatPoint& point, const WindRule fillRule) const
 {
+    if (m_shapeType == ShapeType::Empty)
+        return false;
     if (m_shapeType != ShapeType::Rectangle)
         return RenderSVGShape::shapeDependentFillContains(point, fillRule);
     return m_fillBoundingBox.contains(point.x(), point.y());

diff --git a/Source/WebCore/rendering/svg/legacy/LegacyRenderSVGRect.cpp b/Source/WebCore/rendering/svg/legacy/LegacyRenderSVGRect.cpp
@@ -187,6 +187,8 @@ bool LegacyRenderSVGRect::shapeDependentStrokeContains(const FloatPoint& point,
 
 bool LegacyRenderSVGRect::shapeDependentFillContains(const FloatPoint& point, const WindRule fillRule) const
 {
+    if (m_shapeType == ShapeType::Empty)
+        return false;
     if (m_shapeType != ShapeType::Rectangle)
         return LegacyRenderSVGShape::shapeDependentFillContains(point, fillRule);
     return m_fillBoundingBox.contains(point.x(), point.y());