Padding and borders can cause integer overflow in block layouts
authorjpfau@apple.com <jpfau@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Jun 2012 23:30:22 +0000 (23:30 +0000)
committerjpfau@apple.com <jpfau@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Jun 2012 23:30:22 +0000 (23:30 +0000)
https://bugs.webkit.org/show_bug.cgi?id=88820
<rdar://problem/11328762>

Reviewed by Tony Chang.

Source/WebCore:

Tests: fast/block/block-size-integer-overflow.html
       fast/flexbox/box-size-integer-overflow.html
       fast/table/table-size-integer-overflow.html

* rendering/AutoTableLayout.cpp: Decreased max int.
(WebCore::AutoTableLayout::computePreferredLogicalWidths):
* rendering/FixedTableLayout.cpp: Use shared constant.
(WebCore::FixedTableLayout::computePreferredLogicalWidths):
* rendering/RenderBlock.cpp: Removed unused constant.
* rendering/TableLayout.h: Add shared constant.
(TableLayout):

LayoutTests:

* fast/block/block-size-integer-overflow-expected.txt: Added.
* fast/block/block-size-integer-overflow.html: Added.
* fast/flexbox/box-size-integer-overflow-expected.txt: Added.
* fast/flexbox/box-size-integer-overflow.html: Added.
* fast/table/table-size-integer-overflow-expected.txt: Added.
* fast/table/table-size-integer-overflow.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@120257 268f45cc-cd09-0410-ab3c-d52691b4dbfc

12 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/block/block-size-integer-overflow-expected.txt [new file with mode: 0644]
LayoutTests/fast/block/block-size-integer-overflow.html [new file with mode: 0644]
LayoutTests/fast/flexbox/box-size-integer-overflow-expected.txt [new file with mode: 0644]
LayoutTests/fast/flexbox/box-size-integer-overflow.html [new file with mode: 0644]
LayoutTests/fast/table/table-size-integer-overflow-expected.txt [new file with mode: 0644]
LayoutTests/fast/table/table-size-integer-overflow.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/AutoTableLayout.cpp
Source/WebCore/rendering/FixedTableLayout.cpp
Source/WebCore/rendering/RenderBlock.cpp
Source/WebCore/rendering/TableLayout.h

index 98e3280..0e4cbb1 100644 (file)
@@ -1,3 +1,18 @@
+2012-06-13  Jeffrey Pfau  <jpfau@apple.com>
+
+        Padding and borders can cause integer overflow in block layouts
+        https://bugs.webkit.org/show_bug.cgi?id=88820
+        <rdar://problem/11328762>
+
+        Reviewed by Tony Chang.
+
+        * fast/block/block-size-integer-overflow-expected.txt: Added.
+        * fast/block/block-size-integer-overflow.html: Added.
+        * fast/flexbox/box-size-integer-overflow-expected.txt: Added.
+        * fast/flexbox/box-size-integer-overflow.html: Added.
+        * fast/table/table-size-integer-overflow-expected.txt: Added.
+        * fast/table/table-size-integer-overflow.html: Added.
+
 2012-06-13  Dirk Pranke  <dpranke@chromium.org>
 
         Unreviewed, expectations changes.
diff --git a/LayoutTests/fast/block/block-size-integer-overflow-expected.txt b/LayoutTests/fast/block/block-size-integer-overflow-expected.txt
new file mode 100644 (file)
index 0000000..51c3413
--- /dev/null
@@ -0,0 +1,2 @@
+This test passes if there is a green box that stretches the width of the page.
+PASS   
diff --git a/LayoutTests/fast/block/block-size-integer-overflow.html b/LayoutTests/fast/block/block-size-integer-overflow.html
new file mode 100644 (file)
index 0000000..95eb1f5
--- /dev/null
@@ -0,0 +1,37 @@
+<html>
+<head>
+<style>
+.fail, .pass, #spacer {
+  display: table-cell;
+}
+
+.pass {
+  visibility: hidden;
+}
+</style>
+<script>
+window.onload = function() {
+  if (window.layoutTestController)
+    window.layoutTestController.dumpAsText();
+
+  var spacer = document.getElementById("spacer");
+  if (spacer.offsetWidth > 0) {
+    var fail = document.getElementsByClassName("fail");
+    fail[1].className = "pass";
+    fail[0].className = "pass";
+    spacer.innerText = "PASS";
+  }
+}
+</script>
+</head>
+<body>
+<div style="display: -webkit-box; -webkit-box-orient: horizontal">
+  This test passes if there is a green box that stretches the width of the page.
+  <div style="padding-left: 1px">
+    <div class="fail">FA</div>
+    <div id="spacer" style="color: green; width: 100%; background-color: green"></div>
+    <div class="fail">IL</div>
+  </div>
+</div>
+</body>
+</html>
diff --git a/LayoutTests/fast/flexbox/box-size-integer-overflow-expected.txt b/LayoutTests/fast/flexbox/box-size-integer-overflow-expected.txt
new file mode 100644 (file)
index 0000000..c4338ae
--- /dev/null
@@ -0,0 +1,2 @@
+PASS
+The green box should be the full width of the page.
diff --git a/LayoutTests/fast/flexbox/box-size-integer-overflow.html b/LayoutTests/fast/flexbox/box-size-integer-overflow.html
new file mode 100644 (file)
index 0000000..e998676
--- /dev/null
@@ -0,0 +1,32 @@
+<html>
+<head>
+<script>
+window.onload = function() {
+  if (window.layoutTestController)
+    window.layoutTestController.dumpAsText();
+
+  var cell = document.getElementById("cell");
+  var text = cell.firstElementChild;
+  var wdiff = cell.offsetWidth - text.offsetWidth - (parseInt(window.getComputedStyle(cell).getPropertyValue('padding-right')) +
+                                                     parseInt(window.getComputedStyle(cell).getPropertyValue('padding-left')));
+  if (wdiff > 0)
+    text.innerText = "PASS";
+}
+</script>
+</head>
+<body>
+<div style="float: left;">
+  <div style="display: -webkit-box; border: 1px solid">
+    <table>
+      <tr>
+        <td></td>
+        <td id="cell" style="background-color: green; width: 100%; height: 30px">
+          <span>FAIL</span>
+        </td>
+      </tr>
+    </table>
+  </div>
+</div>
+<div style="clear: left;">The green box should be the full width of the page.</div>
+</body>
+</html>
\ No newline at end of file
diff --git a/LayoutTests/fast/table/table-size-integer-overflow-expected.txt b/LayoutTests/fast/table/table-size-integer-overflow-expected.txt
new file mode 100644 (file)
index 0000000..c4338ae
--- /dev/null
@@ -0,0 +1,2 @@
+PASS
+The green box should be the full width of the page.
diff --git a/LayoutTests/fast/table/table-size-integer-overflow.html b/LayoutTests/fast/table/table-size-integer-overflow.html
new file mode 100644 (file)
index 0000000..c381b72
--- /dev/null
@@ -0,0 +1,30 @@
+<html>
+<head>
+<script>
+window.onload = function() {
+  if (window.layoutTestController)
+    window.layoutTestController.dumpAsText();
+
+  var cell = document.getElementById("cell");
+  var text = cell.firstElementChild;
+  var wdiff = cell.offsetWidth - text.offsetWidth - (parseInt(window.getComputedStyle(cell).getPropertyValue('padding-right')) +
+                                                     parseInt(window.getComputedStyle(cell).getPropertyValue('padding-left')));
+  if (wdiff > 0)
+    text.innerText = "PASS";
+}
+</script>
+</head>
+<body>
+<div style="float: left;">
+  <table style="margin: 1px">
+    <tr>
+      <td></td>
+      <td id="cell" style="background-color: green; width: 100%; height: 30px">
+        <span>FAIL</span>
+      </td>
+    </tr>
+  </table>
+</div>
+<div style="clear: left;">The green box should be the full width of the page.</div>
+</body>
+</html>
\ No newline at end of file
index 93a038e..4cb7060 100644 (file)
@@ -1,3 +1,23 @@
+2012-06-13  Jeffrey Pfau  <jpfau@apple.com>
+
+        Padding and borders can cause integer overflow in block layouts
+        https://bugs.webkit.org/show_bug.cgi?id=88820
+        <rdar://problem/11328762>
+
+        Reviewed by Tony Chang.
+
+        Tests: fast/block/block-size-integer-overflow.html
+               fast/flexbox/box-size-integer-overflow.html
+               fast/table/table-size-integer-overflow.html
+
+        * rendering/AutoTableLayout.cpp: Decreased max int.
+        (WebCore::AutoTableLayout::computePreferredLogicalWidths):
+        * rendering/FixedTableLayout.cpp: Use shared constant.
+        (WebCore::FixedTableLayout::computePreferredLogicalWidths):
+        * rendering/RenderBlock.cpp: Removed unused constant.
+        * rendering/TableLayout.h: Add shared constant.
+        (TableLayout):
+
 2012-06-13  Gregg Tavares  <gman@google.com>
 
         Refactor WebGLFramebuffer to handle texture attachments
index 2c3636e..0af1f78 100644 (file)
@@ -244,8 +244,8 @@ void AutoTableLayout::computePreferredLogicalWidths(LayoutUnit& minWidth, Layout
 
     if (scaleColumns) {
         maxNonPercent = maxNonPercent * 100 / max(remainingPercent, epsilon);
-        maxWidth = max<int>(maxWidth, static_cast<int>(min(maxNonPercent, MAX_LAYOUT_UNIT / 2.0f)));
-        maxWidth = max<int>(maxWidth, static_cast<int>(min(maxPercent, MAX_LAYOUT_UNIT / 2.0f)));
+        maxWidth = max<int>(maxWidth, static_cast<int>(min(maxNonPercent, static_cast<float>(tableMaxWidth))));
+        maxWidth = max<int>(maxWidth, static_cast<int>(min(maxPercent, static_cast<float>(tableMaxWidth))));
     }
 
     maxWidth = max<int>(maxWidth, spanMaxLogicalWidth);
@@ -260,7 +260,7 @@ void AutoTableLayout::computePreferredLogicalWidths(LayoutUnit& minWidth, Layout
         maxWidth = minWidth;
     } else if (!remainingPercent && maxNonPercent) {
         // if there was no remaining percent, maxWidth is invalid
-        maxWidth = MAX_LAYOUT_UNIT;
+        maxWidth = tableMaxWidth;
     }
 
     Length tableLogicalMinWidth = m_table->style()->logicalMinWidth();
index 54272b1..41dd906 100644 (file)
@@ -166,11 +166,6 @@ int FixedTableLayout::calcWidthArray(int)
     return usedWidth;
 }
 
-// Use a very large value (in effect infinite). But not too large!
-// numeric_limits<int>::max() will too easily overflow widths.
-// Keep this in synch with BLOCK_MAX_WIDTH in RenderBlock.cpp
-#define TABLE_MAX_WIDTH 15000
-
 void FixedTableLayout::computePreferredLogicalWidths(LayoutUnit& minWidth, LayoutUnit& maxWidth)
 {
     // FIXME: This entire calculation is incorrect for both minwidth and maxwidth.
@@ -204,8 +199,8 @@ void FixedTableLayout::computePreferredLogicalWidths(LayoutUnit& minWidth, Layou
     // In this example, the two inner tables should be as large as the outer table. 
     // We can achieve this effect by making the maxwidth of fixed tables with percentage
     // widths be infinite.
-    if (m_table->document()->inQuirksMode() && m_table->style()->logicalWidth().isPercent() && maxWidth < TABLE_MAX_WIDTH)
-        maxWidth = TABLE_MAX_WIDTH;
+    if (m_table->document()->inQuirksMode() && m_table->style()->logicalWidth().isPercent() && maxWidth < tableMaxWidth)
+        maxWidth = tableMaxWidth;
 }
 
 void FixedTableLayout::layout()
index 1ea90c7..eb5953a 100755 (executable)
@@ -5693,9 +5693,6 @@ void RenderBlock::computeInlinePreferredLogicalWidths()
     updatePreferredWidth(m_maxPreferredLogicalWidth, inlineMax);
 }
 
-// Use a very large value (in effect infinite).
-#define BLOCK_MAX_WIDTH 15000
-
 void RenderBlock::computeBlockPreferredLogicalWidths()
 {
     RenderStyle* styleToUse = style();
index a72bfef..7507683 100644 (file)
@@ -42,6 +42,8 @@ public:
     virtual void layout() = 0;
 
 protected:
+    const static int tableMaxWidth = 15000;
+
     RenderTable* m_table;
 };