[webkit-changes] [164743] trunk

Wed, 26 Feb 2014 13:21:57 -0800

Title: [164743] trunk
Revision
164743
Author
bjone...@adobe.com
Date
2014-02-26 13:27:10 -0800 (Wed, 26 Feb 2014)

Log Message

[CSS Shapes] inset and inset-rectangle trigger assert with replaced element and large percentage dimension
https://bugs.webkit.org/show_bug.cgi?id=129060

Reviewed by Simon Fraser.

Source/WebCore:

A bounds check was omitted when computing the width and height for inset
rectangles, making it possible for the width or height to end up being
negative. This patch adds in that check for both. It seems that only
replaced elements like iframe and img trigger this problem.

Tests: fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html
       fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html

* rendering/shapes/Shape.cpp:
(WebCore::Shape::createShape):

LayoutTests:

* fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash-expected.txt: Added.
* fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html: Added.
* fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash-expected.txt: Added.
* fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (164742 => 164743)


--- trunk/LayoutTests/ChangeLog	2014-02-26 21:17:35 UTC (rev 164742)
+++ trunk/LayoutTests/ChangeLog	2014-02-26 21:27:10 UTC (rev 164743)
@@ -1,3 +1,15 @@
+2014-02-26  Bem Jones-Bey  <bjone...@adobe.com>
+
+        [CSS Shapes] inset and inset-rectangle trigger assert with replaced element and large percentage dimension
+        https://bugs.webkit.org/show_bug.cgi?id=129060
+
+        Reviewed by Simon Fraser.
+
+        * fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash-expected.txt: Added.
+        * fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html: Added.
+        * fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash-expected.txt: Added.
+        * fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html: Added.
+
 2014-02-26  Myles C. Maxfield  <mmaxfi...@apple.com>
 
         Underlines are too thick when zoomed in

Added: trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash-expected.txt (0 => 164743)


--- trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash-expected.txt	2014-02-26 21:27:10 UTC (rev 164743)
@@ -0,0 +1 @@
+This test should not crash in a debug build.

Added: trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html (0 => 164743)


--- trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html	2014-02-26 21:27:10 UTC (rev 164743)
@@ -0,0 +1,14 @@
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<style>
+    img {
+        width: 10px;
+        height: 10px;
+        float: right;
+        -webkit-shape-outside: inset(0 125% 0 0); 
+    }
+</style>
+This test should not crash in a debug build.
+<img></img>

Added: trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash-expected.txt (0 => 164743)


--- trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash-expected.txt	2014-02-26 21:27:10 UTC (rev 164743)
@@ -0,0 +1 @@
+This test should not crash in a debug build.

Added: trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html (0 => 164743)


--- trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html	2014-02-26 21:27:10 UTC (rev 164743)
@@ -0,0 +1,14 @@
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<style>
+    img {
+        width: 10px;
+        height: 10px;
+        float: right;
+        -webkit-shape-outside: inset-rectangle(0, 125%, 0, 0); 
+    }
+</style>
+This test should not crash in a debug build.
+<img></img>

Modified: trunk/Source/WebCore/ChangeLog (164742 => 164743)


--- trunk/Source/WebCore/ChangeLog	2014-02-26 21:17:35 UTC (rev 164742)
+++ trunk/Source/WebCore/ChangeLog	2014-02-26 21:27:10 UTC (rev 164743)
@@ -1,3 +1,21 @@
+2014-02-26  Bem Jones-Bey  <bjone...@adobe.com>
+
+        [CSS Shapes] inset and inset-rectangle trigger assert with replaced element and large percentage dimension
+        https://bugs.webkit.org/show_bug.cgi?id=129060
+
+        Reviewed by Simon Fraser.
+
+        A bounds check was omitted when computing the width and height for inset
+        rectangles, making it possible for the width or height to end up being
+        negative. This patch adds in that check for both. It seems that only
+        replaced elements like iframe and img trigger this problem.
+
+        Tests: fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html
+               fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html
+
+        * rendering/shapes/Shape.cpp:
+        (WebCore::Shape::createShape):
+
 2014-02-26  Myles C. Maxfield  <mmaxfi...@apple.com>
 
         Underlines are too thick when zoomed in

Modified: trunk/Source/WebCore/rendering/shapes/Shape.cpp (164742 => 164743)


--- trunk/Source/WebCore/rendering/shapes/Shape.cpp	2014-02-26 21:17:35 UTC (rev 164742)
+++ trunk/Source/WebCore/rendering/shapes/Shape.cpp	2014-02-26 21:27:10 UTC (rev 164743)
@@ -210,8 +210,8 @@
         FloatRect bounds(
             left,
             top,
-            boxWidth - left - floatValueForLength(rectangle.right(), boxWidth),
-            boxHeight - top - floatValueForLength(rectangle.bottom(), boxHeight));
+            std::max<float>(boxWidth - left - floatValueForLength(rectangle.right(), boxWidth), 0),
+            std::max<float>(boxHeight - top - floatValueForLength(rectangle.bottom(), boxHeight), 0));
         FloatSize cornerRadii(
             floatValueForLength(rectangle.cornerRadiusX(), boxWidth),
             floatValueForLength(rectangle.cornerRadiusY(), boxHeight));
@@ -228,8 +228,8 @@
         float top = floatValueForLength(inset.top(), boxHeight);
         FloatRect rect(left,
             top,
-            boxWidth - left - floatValueForLength(inset.right(), boxWidth),
-            boxHeight - top - floatValueForLength(inset.bottom(), boxHeight));
+            std::max<float>(boxWidth - left - floatValueForLength(inset.right(), boxWidth), 0),
+            std::max<float>(boxHeight - top - floatValueForLength(inset.bottom(), boxHeight), 0));
         FloatRect logicalRect = physicalRectToLogical(rect, logicalBoxSize.height(), writingMode);
 
         FloatSize boxSize(boxWidth, boxHeight);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to