Crash in feComponentTransfer due to not checking for child node being in error
Found by AFL. Minimized:
<svg>
<filter id="f">
<feComponentTransfer>
<feFuncR type="table" tableValues="@"/>
</feComponentTransfer>
</filter>
<text filter="url(#f)">0</text>
</svg>
tableValues
remains empty and while there's a check for this kind of thing in set_atts()
, it gets skipped because of the early return with an error. However, the filter rendering is missing a check for whether the child node is in error or not.
@federico question: should I error out of rendering the filter in this case, or just log that the child node is in error and skip it (like we do for the rest of the nodes)? The latter option will lead to the filter being at least somewhat applied but with potentially different from correct result (rather than not applied at all).