From 8c980cf75b0c0bbf294a9ba389a13838ee0811b5 Mon Sep 17 00:00:00 2001
From: Aliaksandr Kalenik <kalenik.aliaksandr@gmail.com>
Date: Wed, 21 Jun 2023 19:17:15 +0300
Subject: [PATCH] LibWeb: Do not crash inside SVGDecodedImageData on invalid
 SVG input

Return error when input svg is not valid and SVGSVGElement is not
present in the tree instead of doing svg_root nullptr dereference.

Fixes crash on https://apps.kde.org/en-gb/
---
 Tests/LibWeb/Layout/expected/svg/svg-as-image-invalid.txt | 4 ++++
 Tests/LibWeb/Layout/input/svg/svg-as-image-invalid.html   | 1 +
 Userland/Libraries/LibWeb/SVG/SVGDecodedImageData.cpp     | 3 +++
 3 files changed, 8 insertions(+)
 create mode 100644 Tests/LibWeb/Layout/expected/svg/svg-as-image-invalid.txt
 create mode 100644 Tests/LibWeb/Layout/input/svg/svg-as-image-invalid.html

diff --git a/Tests/LibWeb/Layout/expected/svg/svg-as-image-invalid.txt b/Tests/LibWeb/Layout/expected/svg/svg-as-image-invalid.txt
new file mode 100644
index 0000000000..22719b50a5
--- /dev/null
+++ b/Tests/LibWeb/Layout/expected/svg/svg-as-image-invalid.txt
@@ -0,0 +1,4 @@
+Viewport <#document> at (0,0) content-size 800x600 children: not-inline
+  BlockContainer <html> at (0,0) content-size 800x48 [BFC] children: not-inline
+    BlockContainer <body> at (8,8) content-size 784x32 children: not-inline
+      ImageBox <img> at (8,8) content-size 16x32 children: not-inline
diff --git a/Tests/LibWeb/Layout/input/svg/svg-as-image-invalid.html b/Tests/LibWeb/Layout/input/svg/svg-as-image-invalid.html
new file mode 100644
index 0000000000..a7f142a739
--- /dev/null
+++ b/Tests/LibWeb/Layout/input/svg/svg-as-image-invalid.html
@@ -0,0 +1 @@
+<!doctype html><img src="data:image/svg+xml;,some-garbage" style="display: block">
\ No newline at end of file
diff --git a/Userland/Libraries/LibWeb/SVG/SVGDecodedImageData.cpp b/Userland/Libraries/LibWeb/SVG/SVGDecodedImageData.cpp
index 347a954090..702d45a385 100644
--- a/Userland/Libraries/LibWeb/SVG/SVGDecodedImageData.cpp
+++ b/Userland/Libraries/LibWeb/SVG/SVGDecodedImageData.cpp
@@ -70,6 +70,9 @@ ErrorOr<NonnullRefPtr<SVGDecodedImageData>> SVGDecodedImageData::create(Page& ho
     // Perform some DOM surgery to make the SVG root element be the first child of the Document.
     // FIXME: This is a huge hack until we figure out how to actually parse separate SVG files.
     auto* svg_root = document->body()->first_child_of_type<SVG::SVGSVGElement>();
+    if (!svg_root)
+        return Error::from_string_literal("SVGDecodedImageData: Invalid SVG input");
+
     svg_root->remove();
     document->remove_all_children();