Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5eacd591f79bb8b1ce4097a8afe3e8c1516bb7ba
https://github.com/WebKit/WebKit/commit/5eacd591f79bb8b1ce4097a8afe3e8c1516bb7ba
Author: Chris Dumez <[email protected]>
Date: 2026-06-04 (Thu, 04 Jun 2026)
Changed paths:
M Source/WebCore/platform/graphics/Region.cpp
M Tools/TestWebKitAPI/Tests/WebCore/RegionTests.cpp
Log Message:
-----------
Region::totalArea overflows when a single rect's area exceeds INT_MAX
https://bugs.webkit.org/show_bug.cgi?id=316188
Reviewed by Kimmo Kinnunen.
Region::totalArea() accumulates rect.width() * rect.height() into a
uint64_t. Both width() and height() return int, so the multiplication
is performed in int and only the result is widened. Any rect whose
area exceeds INT_MAX (e.g. 50000 x 50000 == 2,500,000,000) overflows
the int multiplication before the assignment, then sign-extends into
uint64_t and corrupts the running total.
Cast one operand to uint64_t so the multiplication itself happens in
64 bits. Add an API test that exercises the overflow case.
Test: RegionTests.TotalAreaDoesNotOverflowSignedInt
* Source/WebCore/platform/graphics/Region.cpp:
(WebCore::Region::totalArea const):
* Tools/TestWebKitAPI/Tests/WebCore/RegionTests.cpp:
(TestWebKitAPI::TEST(RegionTests, TotalAreaDoesNotOverflowSignedInt)):
Canonical link: https://commits.webkit.org/314594@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
