From 098a2ad2e9684d27bd4b724d8eb8be96a87d8284 Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Sun, 21 Jul 2024 23:29:06 +0100
Subject: [PATCH] LibWeb/SVG: Ensure SVG transform has an inverse before using
 it

This avoids a crash that occurred when calling `getBBox()` on an SVG
element that had a transform with no inverse.

Found by Domato.

(cherry picked from commit d417b7568360f20487e4182e52872b82c8fbbf60)
---
 .../SVG/svg-getbbox-transform-with-no-inverse.txt    |  1 +
 .../SVG/svg-getbbox-transform-with-no-inverse.html   | 12 ++++++++++++
 Userland/Libraries/LibWeb/SVG/SVGGraphicsElement.cpp |  7 ++++---
 3 files changed, 17 insertions(+), 3 deletions(-)
 create mode 100644 Tests/LibWeb/Text/expected/SVG/svg-getbbox-transform-with-no-inverse.txt
 create mode 100644 Tests/LibWeb/Text/input/SVG/svg-getbbox-transform-with-no-inverse.html

diff --git a/Tests/LibWeb/Text/expected/SVG/svg-getbbox-transform-with-no-inverse.txt b/Tests/LibWeb/Text/expected/SVG/svg-getbbox-transform-with-no-inverse.txt
new file mode 100644
index 00000000000000..4262ea2770f295
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/SVG/svg-getbbox-transform-with-no-inverse.txt
@@ -0,0 +1 @@
+    PASS (didn't crash)
diff --git a/Tests/LibWeb/Text/input/SVG/svg-getbbox-transform-with-no-inverse.html b/Tests/LibWeb/Text/input/SVG/svg-getbbox-transform-with-no-inverse.html
new file mode 100644
index 00000000000000..cfce7095b3f68e
--- /dev/null
+++ b/Tests/LibWeb/Text/input/SVG/svg-getbbox-transform-with-no-inverse.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<script src="../include.js"></script>
+<svg xmlns="http://www.w3.org/2000/svg">
+    <rect id="rectElement" x="0" y="0" width="100" height="100" transform="scale(0)" />
+</svg>
+<script>
+    test(() => {
+        const rectElement = document.getElementById("rectElement");
+        rectElement.getBBox();
+        println("PASS (didn't crash)");
+    });
+</script>
diff --git a/Userland/Libraries/LibWeb/SVG/SVGGraphicsElement.cpp b/Userland/Libraries/LibWeb/SVG/SVGGraphicsElement.cpp
index 05da5027324114..cbfef15ed75763 100644
--- a/Userland/Libraries/LibWeb/SVG/SVGGraphicsElement.cpp
+++ b/Userland/Libraries/LibWeb/SVG/SVGGraphicsElement.cpp
@@ -272,9 +272,10 @@ JS::NonnullGCPtr<Geometry::DOMRect> SVGGraphicsElement::get_b_box(Optional<SVGBo
     // Invert the SVG -> screen space transform.
     auto svg_element_rect = shadow_including_first_ancestor_of_type<SVG::SVGSVGElement>()->paintable_box()->absolute_rect();
     auto inverse_transform = static_cast<Painting::SVGGraphicsPaintable&>(*paintable_box()).computed_transforms().svg_to_css_pixels_transform().inverse();
-    return Geometry::DOMRect::create(realm(),
-        inverse_transform->map(
-            paintable_box()->absolute_rect().to_type<float>().translated(-svg_element_rect.location().to_type<float>())));
+    auto translated_rect = paintable_box()->absolute_rect().to_type<float>().translated(-svg_element_rect.location().to_type<float>());
+    if (inverse_transform.has_value())
+        translated_rect = inverse_transform->map(translated_rect);
+    return Geometry::DOMRect::create(realm(), translated_rect);
 }
 
 JS::NonnullGCPtr<SVGAnimatedTransformList> SVGGraphicsElement::transform() const