Prevent use of stale list length for to-animations of transform lists

Source/core/svg/SVGTransformList.cpp

 /*
  * Copyright (C) 2004, 2005, 2008 Nikolas Zimmermann <zimmermann@kde.org>
  * Copyright (C) 2004, 2005, 2006, 2007 Rob Buis <buis@kde.org>
  * Copyright (C) 2007 Eric Seidel <eric@webkit.org>
  * Copyright (C) 2008 Apple Inc. All rights reserved.
  * Copyright (C) Research In Motion Limited 2012. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
  * License as published by the Free Software Foundation; either
@@ skipping 295 matching lines @@
     bool isToAnimation = animationElement->animationMode() == ToAnimation;
 
     // Spec: To animations provide specific functionality to get a smooth change from the underlying value to the
     // ‘to’ attribute value, which conflicts mathematically with the requirement for additive transform animations
     // to be post-multiplied. As a consequence, in SVG 1.1 the behavior of to animations for ‘animateTransform’ is undefined
     // FIXME: This is not taken into account yet.
     RefPtr<SVGTransformList> fromList = isToAnimation ? this : toSVGTransformList(fromValue);
     RefPtr<SVGTransformList> toList = toSVGTransformList(toValue);
     RefPtr<SVGTransformList> toAtEndOfDurationList = toSVGTransformList(toAtEndOfDurationValue);
 
-    size_t fromListSize = fromList->length();
     size_t toListSize = toList->length();
-
     if (!toListSize)
         return;
 
+    // Get a reference to the from value before potentially cleaning it out (in the case of a To animation.)
+    RefPtr<SVGTransform> toTransform = toList->at(0);
+    RefPtr<SVGTransform> effectiveFrom = fromList->length() ? fromList->at(0) : SVGTransform::create(toTransform->transformType(), SVGTransform::ConstructZeroTransform);
+
     // Never resize the animatedTransformList to the toList size, instead either clear the list or append to it.
     if (!isEmpty() && !animationElement->isAdditive())
         clear();
 
-    RefPtr<SVGTransform> toTransform = toList->at(0);
-    RefPtr<SVGTransform> effectiveFrom = fromListSize ? fromList->at(0) : SVGTransform::create(toTransform->transformType(), SVGTransform::ConstructZeroTransform);
     RefPtr<SVGTransform> currentTransform = SVGTransformDistance(effectiveFrom, toTransform).scaledDistance(percentage).addToSVGTransform(effectiveFrom);
     if (animationElement->isAccumulated() && repeatCount) {
         RefPtr<SVGTransform> effectiveToAtEnd = !toAtEndOfDurationList->isEmpty() ? toAtEndOfDurationList->at(0) : SVGTransform::create(toTransform->transformType(), SVGTransform::ConstructZeroTransform);
         append(SVGTransformDistance::addSVGTransforms(currentTransform, effectiveToAtEnd, repeatCount));
     } else {
         append(currentTransform);
     }
 }
 
 float SVGTransformList::calculateDistance(PassRefPtr<SVGPropertyBase> toValue, SVGElement*)
 {
     // FIXME: This is not correct in all cases. The spec demands that each component (translate x and y for example)
     // is paced separately. To implement this we need to treat each component as individual animation everywhere.
 
     RefPtr<SVGTransformList> toList = toSVGTransformList(toValue);
     if (isEmpty() || length() != toList->length())
         return -1;
 
     ASSERT(length() == 1);
     if (at(0)->transformType() == toList->at(0)->transformType())
         return -1;
 
     // Spec: http://www.w3.org/TR/SVG/animate.html#complexDistances
     // Paced animations assume a notion of distance between the various animation values defined by the ‘to’, ‘from’, ‘by’ and ‘values’ attributes.
     // Distance is defined only for scalar types (such as <length>), colors and the subset of transformation types that are supported by ‘animateTransform’.
     return SVGTransformDistance(at(0), toList->at(0)).distance();
 }
 
 }