From 4dbb614775571ea335502f5b8968f17c71a43e1b Mon Sep 17 00:00:00 2001
From: Jonathan Watt <jwatt@jwatt.org>
Date: Tue, 6 Jun 2017 17:04:37 +0100
Subject: [PATCH] Bug 1365189, part 1 - Prevent SVG elements that are neither
 displayable nor paint servers from painting. r=dholbert

MozReview-Commit-ID: 97Q9PN4eUBw
---
 layout/painting/nsImageRenderer.cpp  | 11 +++++++++--
 layout/svg/nsSVGIntegrationUtils.cpp |  7 +++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/layout/painting/nsImageRenderer.cpp b/layout/painting/nsImageRenderer.cpp
index 9b6874601ac4..c1c11ad0b819 100644
--- a/layout/painting/nsImageRenderer.cpp
+++ b/layout/painting/nsImageRenderer.cpp
@@ -19,6 +19,7 @@
 #include "nsCSSRenderingGradients.h"
 #include "nsIFrame.h"
 #include "nsStyleStructInlines.h"
+#include "nsSVGDisplayableFrame.h"
 #include "nsSVGEffects.h"
 #include "nsSVGIntegrationUtils.h"
 
@@ -192,11 +193,17 @@ nsImageRenderer::PrepareImage()
       mImageElementSurface =
         nsLayoutUtils::SurfaceFromElement(property->GetReferencedElement());
       if (!mImageElementSurface.GetSourceSurface()) {
-        mPaintServerFrame = property->GetReferencedFrame();
-        if (!mPaintServerFrame) {
+        nsIFrame* paintServerFrame = property->GetReferencedFrame();
+        // If there's no referenced frame, or the referenced frame is
+        // non-displayable SVG, then we have nothing valid to paint.
+        if (!paintServerFrame ||
+            (paintServerFrame->IsFrameOfType(nsIFrame::eSVG) &&
+             !paintServerFrame->IsFrameOfType(nsIFrame::eSVGPaintServer) &&
+             !static_cast<nsSVGDisplayableFrame*>(do_QueryFrame(paintServerFrame)))) {
           mPrepareResult = DrawResult::BAD_IMAGE;
           return false;
         }
+        mPaintServerFrame = paintServerFrame;
       }
 
       mPrepareResult = DrawResult::SUCCESS;
diff --git a/layout/svg/nsSVGIntegrationUtils.cpp b/layout/svg/nsSVGIntegrationUtils.cpp
index 7a31a79012db..cb5b229cd66b 100644
--- a/layout/svg/nsSVGIntegrationUtils.cpp
+++ b/layout/svg/nsSVGIntegrationUtils.cpp
@@ -1242,6 +1242,13 @@ nsSVGIntegrationUtils::DrawableFromPaintServer(nsIFrame*         aFrame,
     return drawable.forget();
   }
 
+  if (aFrame->IsFrameOfType(nsIFrame::eSVG) &&
+      !static_cast<nsSVGDisplayableFrame*>(do_QueryFrame(aFrame))) {
+    MOZ_ASSERT_UNREACHABLE("We should prevent painting of unpaintable SVG "
+                           "before we get here");
+    return nullptr;
+  }
+
   // We don't want to paint into a surface as long as we don't need to, so we
   // set up a drawing callback.
   RefPtr<gfxDrawingCallback> cb =