From 0afdde0eefcbed2903d568eb470b5bb629346488 Mon Sep 17 00:00:00 2001
From: Cameron Youell <cameronyouell@gmail.com>
Date: Fri, 26 May 2023 21:53:13 +1000
Subject: [PATCH] LibWeb: Consume sign in `SVG::parse_elliptical_arg_argument`

This was crashing on google.com with the linux chrome user agent,
interestingly it seems like this behavior may have been accidental as
only two of the three `parse_number()` were changed in f7dbcb6
---
 .../expected/svg/svg-negative-elliptical-arg-number.txt    | 7 +++++++
 .../input/svg/svg-negative-elliptical-arg-number.html      | 5 +++++
 Userland/Libraries/LibWeb/SVG/AttributeParser.cpp          | 4 ++--
 3 files changed, 14 insertions(+), 2 deletions(-)
 create mode 100644 Tests/LibWeb/Layout/expected/svg/svg-negative-elliptical-arg-number.txt
 create mode 100644 Tests/LibWeb/Layout/input/svg/svg-negative-elliptical-arg-number.html

diff --git a/Tests/LibWeb/Layout/expected/svg/svg-negative-elliptical-arg-number.txt b/Tests/LibWeb/Layout/expected/svg/svg-negative-elliptical-arg-number.txt
new file mode 100644
index 0000000000..ec27a54b6c
--- /dev/null
+++ b/Tests/LibWeb/Layout/expected/svg/svg-negative-elliptical-arg-number.txt
@@ -0,0 +1,7 @@
+Viewport <#document> at (0,0) content-size 800x600 children: not-inline
+  BlockContainer <html> at (0,0) content-size 800x116 [BFC] children: not-inline
+    BlockContainer <body> at (8,8) content-size 784x100 children: inline
+      line 0 width: 100, height: 100, bottom: 100, baseline: 48
+        frag 0 from SVGSVGBox start: 0, length: 0, rect: [8,8 100x100]
+      SVGSVGBox <svg> at (8,8) content-size 100x100 [SVG] children: not-inline
+        SVGGeometryBox <path> at (8,9.999999) content-size 100x48 children: not-inline
diff --git a/Tests/LibWeb/Layout/input/svg/svg-negative-elliptical-arg-number.html b/Tests/LibWeb/Layout/input/svg/svg-negative-elliptical-arg-number.html
new file mode 100644
index 0000000000..436c375015
--- /dev/null
+++ b/Tests/LibWeb/Layout/input/svg/svg-negative-elliptical-arg-number.html
@@ -0,0 +1,5 @@
+<!DOCTYPE html><html><body><svg 
+	xmlns="http://www.w3.org/2000/svg"
+	width="100"
+	height="100"
+	viewBox="0 0 10 10"><path d="M0,5 10,5 5.5,.5 a 1,-1 0 0 0 -.5,-.3 1,-1 0 0 0 -.5, .2">
\ No newline at end of file
diff --git a/Userland/Libraries/LibWeb/SVG/AttributeParser.cpp b/Userland/Libraries/LibWeb/SVG/AttributeParser.cpp
index 9649eb38e7..eb111fbb75 100644
--- a/Userland/Libraries/LibWeb/SVG/AttributeParser.cpp
+++ b/Userland/Libraries/LibWeb/SVG/AttributeParser.cpp
@@ -343,10 +343,10 @@ Vector<float> AttributeParser::parse_coordinate_pair_triplet()
 Vector<float> AttributeParser::parse_elliptical_arg_argument()
 {
     Vector<float> numbers;
-    numbers.append(parse_nonnegative_number());
+    numbers.append(parse_number());
     if (match_comma_whitespace())
         parse_comma_whitespace();
-    numbers.append(parse_nonnegative_number());
+    numbers.append(parse_number());
     if (match_comma_whitespace())
         parse_comma_whitespace();
     numbers.append(parse_number());