From 551c7f966bfdc543926cc3e52133be76aaaa31fe Mon Sep 17 00:00:00 2001 From: Tim Ledbetter Date: Wed, 10 Sep 2025 09:51:56 +0100 Subject: [PATCH] LibWeb: Use correct root element when resolving paint properties Previously, the first `HTMLHtmlELement` in the given document would always be used when determining whether to propagate background properties to the body element. This meant the wrong root element was used for SVG `foreignObject` elements, which could lead to a crash. --- Libraries/LibWeb/Painting/PaintableBox.cpp | 3 ++- .../Crash/SVG/foreignObject-with-html-root-element.svg | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 Tests/LibWeb/Crash/SVG/foreignObject-with-html-root-element.svg diff --git a/Libraries/LibWeb/Painting/PaintableBox.cpp b/Libraries/LibWeb/Painting/PaintableBox.cpp index 821f3702bcf..0a5f20b19f1 100644 --- a/Libraries/LibWeb/Painting/PaintableBox.cpp +++ b/Libraries/LibWeb/Painting/PaintableBox.cpp @@ -1537,7 +1537,8 @@ void PaintableBox::resolve_paint_properties() // Section 2.11.2: If the computed value of background-image on the root element is none and its background-color is transparent, // user agents must instead propagate the computed values of the background properties from that element’s first HTML BODY child element. - if (document().html_element()->should_use_body_background_properties()) { + auto& html_element = as(*layout_node_with_style_and_box_metrics().dom_node()); + if (html_element.should_use_body_background_properties()) { background_layers = document().background_layers(); background_color = document().background_color(); } diff --git a/Tests/LibWeb/Crash/SVG/foreignObject-with-html-root-element.svg b/Tests/LibWeb/Crash/SVG/foreignObject-with-html-root-element.svg new file mode 100644 index 00000000000..c6d6e02436f --- /dev/null +++ b/Tests/LibWeb/Crash/SVG/foreignObject-with-html-root-element.svg @@ -0,0 +1,6 @@ + + + + + +