Title: [289883] trunk
- Revision
- 289883
- Author
- [email protected]
- Date
- 2022-02-16 01:29:18 -0800 (Wed, 16 Feb 2022)
Log Message
Floating point exception in RenderListBox::numVisibleItems
https://bugs.webkit.org/show_bug.cgi?id=229307
Reviewed by Mark Lam.
Source/WebCore:
FontMetrics::height can return a negative value when setAscent() is called with
with a value that is too large to be represented as an int. Prevent this by
making setAscent() ensure that m_intAscent is set to a non-negative value.
Test: fast/forms/listbox-zero-item-height.html
* platform/graphics/FontMetrics.h:
(WebCore::FontMetrics::setAscent):
LayoutTests:
* fast/forms/listbox-zero-item-height-expected.txt: Added.
* fast/forms/listbox-zero-item-height.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (289882 => 289883)
--- trunk/LayoutTests/ChangeLog 2022-02-16 09:19:57 UTC (rev 289882)
+++ trunk/LayoutTests/ChangeLog 2022-02-16 09:29:18 UTC (rev 289883)
@@ -1,3 +1,13 @@
+2022-02-16 Ali Juma <[email protected]>
+
+ Floating point exception in RenderListBox::numVisibleItems
+ https://bugs.webkit.org/show_bug.cgi?id=229307
+
+ Reviewed by Mark Lam.
+
+ * fast/forms/listbox-zero-item-height-expected.txt: Added.
+ * fast/forms/listbox-zero-item-height.html: Added.
+
2022-02-16 Jon Lee <[email protected]>
Reset GPU Process TestExpectations after accelerated drawing is enabled.
Added: trunk/LayoutTests/fast/forms/listbox-zero-item-height-expected.txt (0 => 289883)
--- trunk/LayoutTests/fast/forms/listbox-zero-item-height-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/forms/listbox-zero-item-height-expected.txt 2022-02-16 09:29:18 UTC (rev 289883)
@@ -0,0 +1,3 @@
+This test passes if it doesn't crash.
+
+
Added: trunk/LayoutTests/fast/forms/listbox-zero-item-height.html (0 => 289883)
--- trunk/LayoutTests/fast/forms/listbox-zero-item-height.html (rev 0)
+++ trunk/LayoutTests/fast/forms/listbox-zero-item-height.html 2022-02-16 09:29:18 UTC (rev 289883)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+}
+</script>
+
+<style>
+ *{zoom:4000;}
+</style>
+
+<form>
+ <div>
+ <p>This test passes if it doesn't crash.</p>
+ <select multiple="multiple" style="-webkit-appearance:push-button;">
+ </div>
+</form>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (289882 => 289883)
--- trunk/Source/WebCore/ChangeLog 2022-02-16 09:19:57 UTC (rev 289882)
+++ trunk/Source/WebCore/ChangeLog 2022-02-16 09:29:18 UTC (rev 289883)
@@ -1,3 +1,19 @@
+2022-02-16 Ali Juma <[email protected]>
+
+ Floating point exception in RenderListBox::numVisibleItems
+ https://bugs.webkit.org/show_bug.cgi?id=229307
+
+ Reviewed by Mark Lam.
+
+ FontMetrics::height can return a negative value when setAscent() is called with
+ with a value that is too large to be represented as an int. Prevent this by
+ making setAscent() ensure that m_intAscent is set to a non-negative value.
+
+ Test: fast/forms/listbox-zero-item-height.html
+
+ * platform/graphics/FontMetrics.h:
+ (WebCore::FontMetrics::setAscent):
+
2022-02-16 Wenson Hsieh <[email protected]>
[macOS] Add an "Markup Image" item to the sharing services picker context menu
Modified: trunk/Source/WebCore/platform/graphics/FontMetrics.h (289882 => 289883)
--- trunk/Source/WebCore/platform/graphics/FontMetrics.h 2022-02-16 09:19:57 UTC (rev 289882)
+++ trunk/Source/WebCore/platform/graphics/FontMetrics.h 2022-02-16 09:29:18 UTC (rev 289883)
@@ -42,7 +42,7 @@
void setAscent(float ascent)
{
m_floatAscent = ascent;
- m_intAscent = lroundf(ascent);
+ m_intAscent = std::max(static_cast<int>(lroundf(ascent)), 0);
}
float floatDescent(FontBaseline baselineType = AlphabeticBaseline) const
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
