[webkit-changes] [WebKit/WebKit] 028a85: CSSCalc::simplify: bail if Type::multiply returns ...
Kiet Ho
noreply at github.com
Thu Sep 19 10:39:14 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 028a859fd9383974ba8f4930e5a4901b25166d77
https://github.com/WebKit/WebKit/commit/028a859fd9383974ba8f4930e5a4901b25166d77
Author: Kiet Ho <kiet.ho at apple.com>
Date: 2024-09-19 (Thu, 19 Sep 2024)
Changed paths:
A LayoutTests/css3/calc/product-more-than-127-factors-expected.txt
A LayoutTests/css3/calc/product-more-than-127-factors.html
M Source/WebCore/css/calc/CSSCalcTree+Simplification.cpp
Log Message:
-----------
CSSCalc::simplify: bail if Type::multiply returns nullopt
https://bugs.webkit.org/show_bug.cgi?id=279880
rdar://136012557
Reviewed by Antti Koivisto.
When simplifying a product expression, CSSCalc::simplify calls
Type::multiply to figure out the type from multiplying two types.
It's possible to craft an expression such that Type::multiply returns
std::nullopt, which CSSCalc::simplify doesn't expect and hence crashes.
One example is:
((1px ** 16) ** 8) / 1px
where ** is the power function, which should be unrolled to a product
expression. Fix this by returning early with failure if Type::multiply
returns std::nullopt.
* LayoutTests/css3/calc/product-more-than-127-factors-expected.txt: Added.
* LayoutTests/css3/calc/product-more-than-127-factors.html: Added.
* Source/WebCore/css/calc/CSSCalcTree+Simplification.cpp:
(WebCore::CSSCalc::simplify):
Canonical link: https://commits.webkit.org/283931@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list