[webkit-changes] [164743] trunk

Wed, 26 Feb 2014 13:21:57 -0800

Title: [164743] trunk
Revision
164743
Author
[email protected]
Date
2014-02-26 13:27:10 -0800 (Wed, 26 Feb 2014)

Log Message

[CSS Shapes] inset and inset-rectangle trigger assert with replaced element and large percentage dimension
https://bugs.webkit.org/show_bug.cgi?id=129060

Reviewed by Simon Fraser.

Source/WebCore:

A bounds check was omitted when computing the width and height for inset
rectangles, making it possible for the width or height to end up being
negative. This patch adds in that check for both. It seems that only
replaced elements like iframe and img trigger this problem.

Tests: fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html
       fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html

* rendering/shapes/Shape.cpp:
(WebCore::Shape::createShape):

LayoutTests:

* fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash-expected.txt: Added.
* fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html: Added.
* fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash-expected.txt: Added.
* fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (164742 => 164743)


--- trunk/LayoutTests/ChangeLog	2014-02-26 21:17:35 UTC (rev 164742)
+++ trunk/LayoutTests/ChangeLog	2014-02-26 21:27:10 UTC (rev 164743)
@@ -1,3 +1,15 @@
+2014-02-26  Bem Jones-Bey  <[email protected]>
+
+        [CSS Shapes] inset and inset-rectangle trigger assert with replaced element and large percentage dimension
+        https://bugs.webkit.org/show_bug.cgi?id=129060
+
+        Reviewed by Simon Fraser.
+
+        * fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash-expected.txt: Added.
+        * fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html: Added.
+        * fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash-expected.txt: Added.
+        * fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html: Added.
+
 2014-02-26  Myles C. Maxfield  <[email protected]>
 
         Underlines are too thick when zoomed in

Added: trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash-expected.txt (0 => 164743)


--- trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash-expected.txt	2014-02-26 21:27:10 UTC (rev 164743)
@@ -0,0 +1 @@
+This test should not crash in a debug build.

Added: trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html (0 => 164743)


--- trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html	2014-02-26 21:27:10 UTC (rev 164743)
@@ -0,0 +1,14 @@
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<style>
+    img {
+        width: 10px;
+        height: 10px;
+        float: right;
+        -webkit-shape-outside: inset(0 125% 0 0); 
+    }
+</style>
+This test should not crash in a debug build.
+<img></img>

Added: trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash-expected.txt (0 => 164743)


--- trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash-expected.txt	2014-02-26 21:27:10 UTC (rev 164743)
@@ -0,0 +1 @@
+This test should not crash in a debug build.

Added: trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html (0 => 164743)


--- trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html	2014-02-26 21:27:10 UTC (rev 164743)
@@ -0,0 +1,14 @@
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<style>
+    img {
+        width: 10px;
+        height: 10px;
+        float: right;
+        -webkit-shape-outside: inset-rectangle(0, 125%, 0, 0); 
+    }
+</style>
+This test should not crash in a debug build.
+<img></img>

Modified: trunk/Source/WebCore/ChangeLog (164742 => 164743)


--- trunk/Source/WebCore/ChangeLog	2014-02-26 21:17:35 UTC (rev 164742)
+++ trunk/Source/WebCore/ChangeLog	2014-02-26 21:27:10 UTC (rev 164743)
@@ -1,3 +1,21 @@
+2014-02-26  Bem Jones-Bey  <[email protected]>
+
+        [CSS Shapes] inset and inset-rectangle trigger assert with replaced element and large percentage dimension
+        https://bugs.webkit.org/show_bug.cgi?id=129060
+
+        Reviewed by Simon Fraser.
+
+        A bounds check was omitted when computing the width and height for inset
+        rectangles, making it possible for the width or height to end up being
+        negative. This patch adds in that check for both. It seems that only
+        replaced elements like iframe and img trigger this problem.
+
+        Tests: fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-negative-width-crash.html
+               fast/shapes/shape-outside-floats/shape-outside-floats-img-inset-rectangle-negative-width-crash.html
+
+        * rendering/shapes/Shape.cpp:
+        (WebCore::Shape::createShape):
+
 2014-02-26  Myles C. Maxfield  <[email protected]>
 
         Underlines are too thick when zoomed in

Modified: trunk/Source/WebCore/rendering/shapes/Shape.cpp (164742 => 164743)


--- trunk/Source/WebCore/rendering/shapes/Shape.cpp	2014-02-26 21:17:35 UTC (rev 164742)
+++ trunk/Source/WebCore/rendering/shapes/Shape.cpp	2014-02-26 21:27:10 UTC (rev 164743)
@@ -210,8 +210,8 @@
         FloatRect bounds(
             left,
             top,
-            boxWidth - left - floatValueForLength(rectangle.right(), boxWidth),
-            boxHeight - top - floatValueForLength(rectangle.bottom(), boxHeight));
+            std::max<float>(boxWidth - left - floatValueForLength(rectangle.right(), boxWidth), 0),
+            std::max<float>(boxHeight - top - floatValueForLength(rectangle.bottom(), boxHeight), 0));
         FloatSize cornerRadii(
             floatValueForLength(rectangle.cornerRadiusX(), boxWidth),
             floatValueForLength(rectangle.cornerRadiusY(), boxHeight));
@@ -228,8 +228,8 @@
         float top = floatValueForLength(inset.top(), boxHeight);
         FloatRect rect(left,
             top,
-            boxWidth - left - floatValueForLength(inset.right(), boxWidth),
-            boxHeight - top - floatValueForLength(inset.bottom(), boxHeight));
+            std::max<float>(boxWidth - left - floatValueForLength(inset.right(), boxWidth), 0),
+            std::max<float>(boxHeight - top - floatValueForLength(inset.bottom(), boxHeight), 0));
         FloatRect logicalRect = physicalRectToLogical(rect, logicalBoxSize.height(), writingMode);
 
         FloatSize boxSize(boxWidth, boxHeight);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to