LayoutNG: Fix a crash with input[type=file]::after with huge margin

The crash is similar to crrev.com/806062. In this case, both of |line_width| and |item.InlineOffset()| are saturated to LayoutUnit::Max(), then later width computation didn't work well. This CL fixes the crash by checking the saturation, and also adds vector index checking to prevent similar issues. Bug: 1129570 Change-Id: I7b019fb09dda68b24a70cc6f4865dfa22a70ded1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2423759 Auto-Submit: Kent Tamura <tkent@chromium.org> Commit-Queue: Koji Ishii <kojii@chromium.org> Reviewed-by: Koji Ishii <kojii@chromium.org> Cr-Commit-Position: refs/heads/master@{#809868}

LayoutNG: Fix a crash with input[type=file]::after with huge margin
The crash is similar to crrev.com/806062. In this case, both of |line_width| and |item.InlineOffset()| are saturated to LayoutUnit::Max(), then later width computation didn't work well. This CL fixes the crash by checking the saturation, and also adds vector index checking to prevent similar issues. Bug: 1129570 Change-Id: I7b019fb09dda68b24a70cc6f4865dfa22a70ded1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2423759 Auto-Submit: Kent Tamura <tkent@chromium.org> Commit-Queue: Koji Ishii <kojii@chromium.org> Reviewed-by: Koji Ishii <kojii@chromium.org> Cr-Commit-Position: refs/heads/master@{#809868}
1b749a28 · Kent Tamura · Commit Bot · 992e5b90 · 1b749a28 · 1b749a28
Commit 1b749a28 authored Sep 23, 2020 by Kent Tamura Committed by Commit Bot Sep 23, 2020
2 changed files
--- a/third_party/blink/renderer/core/layout/ng/inline/ng_line_truncator.cc
+++ b/third_party/blink/renderer/core/layout/ng/inline/ng_line_truncator.cc
@@ -247,6 +247,9 @@ LayoutUnit NGLineTruncator::TruncateLineInTheMiddle(
  LayoutUnit static_width_right = LayoutUnit(0);
  if (initial_index_right + 1 < line.size()) {
    const NGLogicalLineItem& item = line[initial_index_right + 1];
+    // |line_width| and/or InlineOffset() might be saturated.
+    if (line_width <= item.InlineOffset())
+      return line_width;
    static_width_right =
        line_width - item.InlineOffset() + item.margin_line_left;
  }
@@ -266,8 +269,13 @@ LayoutUnit NGLineTruncator::TruncateLineInTheMiddle(
  if (IsLtr(line_direction_)) {
    // Find truncation point at the left, truncate, and add an ellipsis.
-    while (available_width_left >= line[index_left].inline_size)
+    while (available_width_left >= line[index_left].inline_size) {
      available_width_left -= line[index_left++].inline_size;
+      if (index_left >= line.size()) {
+        // We have a logic bug. Do nothing.
+        return line_width;
+      }
+    }
    DCHECK_LE(index_left, index_right);
    DCHECK(!line[index_left].IsPlaceholder());
    wtf_size_t new_index = AddTruncatedChild(
@@ -288,8 +296,15 @@ LayoutUnit NGLineTruncator::TruncateLineInTheMiddle(
    }
    // Find truncation point at the right.
-    while (available_width_right >= line[index_right].inline_size)
+    while (available_width_right >= line[index_right].inline_size) {
-      available_width_right -= line[index_right--].inline_size;
+      available_width_right -= line[index_right].inline_size;
+      if (index_right == 0) {
+        // We have a logic bug. We proceed anyway because |line| was already
+        // modified.
+        break;
+      }
+      --index_right;
+    }
    LayoutUnit new_modified_right_offset =
        line[line.size() - 1].InlineOffset() + ellipsis_width_;
    DCHECK_LE(index_left, index_right);
@@ -316,8 +331,14 @@ LayoutUnit NGLineTruncator::TruncateLineInTheMiddle(
  } else {
    // Find truncation point at the right, truncate, and add an ellipsis.
-    while (available_width_right >= line[index_right].inline_size)
+    while (available_width_right >= line[index_right].inline_size) {
-      available_width_right -= line[index_right--].inline_size;
+      available_width_right -= line[index_right].inline_size;
+      if (index_right == 0) {
+        // We have a logic bug. Do nothing.
+        return line_width;
+      }
+      --index_right;
+    }
    DCHECK_LE(index_left, index_right);
    DCHECK(!line[index_right].IsPlaceholder());
    wtf_size_t new_index =
@@ -341,8 +362,14 @@ LayoutUnit NGLineTruncator::TruncateLineInTheMiddle(
    LayoutUnit ellipsis_offset = line[line.size() - 1].InlineOffset();
    // Find truncation point at the left.
-    while (available_width_left >= line[index_left].inline_size)
+    while (available_width_left >= line[index_left].inline_size) {
      available_width_left -= line[index_left++].inline_size;
+      if (index_left >= line.size()) {
+        // We have a logic bug. We proceed anyway because |line| was already
+        // modified.
+        break;
+      }
+    }
    DCHECK_LE(index_left, index_right);
    DCHECK(!line[index_left].IsPlaceholder());
    if (available_width_left > 0) {

--- a/third_party/blink/web_tests/fast/forms/file/file-crash-by-pseudo-after-with-padding.html
+++ b/third_party/blink/web_tests/fast/forms/file/file-crash-by-pseudo-after-with-padding.html
@@ -10,6 +10,15 @@
  width: 100%;
  padding-right: 100%;
 }
+.c19 {
+  width: 400px;
+}
+.c19:after {
+  content: 'a';
+  margin-left: 2000000000%;
+}
 </style>
 <input type="file">
 <script>
@@ -19,4 +28,11 @@ test(() => {
  fileInput.offsetWidth;
  // Ok if no crash.
 }, ':after with large padding should not cause a crash.');
+test(() => {
+  const fileInput = document.querySelector('input');
+  fileInput.classList.add('c19');
+  fileInput.offsetWidth;
+  // Ok if no crash.
+}, ':after with huge margin should not cause a crash.');
 </script>