Fix integer overflow in frameset layout

Existing code was multiplying ints in a context where an intermediate result could overflow the 32-bit container. Change to explicitly use a 64-bit long long for the intermediate product to avoid undefined behaviour. Found by UBSan / clusterfuzz Bug: 852435 Change-Id: I683eee6eda51f40e7f165c0a55111fba623c2ec9 Reviewed-on: https://chromium-review.googlesource.com/1099756Reviewed-by: Steve Kobes <skobes@chromium.org> Commit-Queue: Ian Clelland <iclelland@chromium.org> Cr-Commit-Position: refs/heads/master@{#567097}

Fix integer overflow in frameset layout
Existing code was multiplying ints in a context where an intermediate result could overflow the 32-bit container. Change to explicitly use a 64-bit long long for the intermediate product to avoid undefined behaviour. Found by UBSan / clusterfuzz Bug: 852435 Change-Id: I683eee6eda51f40e7f165c0a55111fba623c2ec9 Reviewed-on: https://chromium-review.googlesource.com/1099756Reviewed-by: Steve Kobes <skobes@chromium.org> Commit-Queue: Ian Clelland <iclelland@chromium.org> Cr-Commit-Position: refs/heads/master@{#567097}
47ef1c5d · Ian Clelland · Commit Bot · 0b1c2fbf · 47ef1c5d
Commit 47ef1c5d authored Jun 14, 2018 by Ian Clelland Committed by Commit Bot Jun 14, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 4 deletions

third_party/blink/renderer/core/layout/layout_frame_set.cc third_party/blink/renderer/core/layout/layout_frame_set.cc +12 -4

No files found.
--- a/third_party/blink/renderer/core/layout/layout_frame_set.cc
+++ b/third_party/blink/renderer/core/layout/layout_frame_set.cc
@@ -137,7 +137,9 @@ void LayoutFrameSet::LayOutAxis(GridAxis& axis,

    for (int i = 0; i < grid_len; ++i) {
      if (grid[i].IsAbsolute()) {
-        grid_layout[i] = (grid_layout[i] * remaining_fixed) / total_fixed;
+        long long temp_product =
+            static_cast<long long>(grid_layout[i]) * remaining_fixed;
+        grid_layout[i] = temp_product / total_fixed;
        remaining_len -= grid_layout[i];
      }
    }
@@ -155,7 +157,9 @@ void LayoutFrameSet::LayOutAxis(GridAxis& axis,

    for (int i = 0; i < grid_len; ++i) {
      if (grid[i].IsPercentage()) {
-        grid_layout[i] = (grid_layout[i] * remaining_percent) / total_percent;
+        long long temp_product =
+            static_cast<long long>(grid_layout[i]) * remaining_percent;
+        grid_layout[i] = temp_product / total_percent;
        remaining_len -= grid_layout[i];
      }
    }
@@ -203,7 +207,9 @@ void LayoutFrameSet::LayOutAxis(GridAxis& axis,

      for (int i = 0; i < grid_len; ++i) {
        if (grid[i].IsPercentage()) {
-          change_percent = (remaining_percent * grid_layout[i]) / total_percent;
+          long long temp_product =
+              static_cast<long long>(grid_layout[i]) * remaining_percent;
+          change_percent = temp_product / total_percent;
          grid_layout[i] += change_percent;
          remaining_len -= change_percent;
        }
@@ -217,7 +223,9 @@ void LayoutFrameSet::LayOutAxis(GridAxis& axis,

      for (int i = 0; i < grid_len; ++i) {
        if (grid[i].IsAbsolute()) {
-          change_fixed = (remaining_fixed * grid_layout[i]) / total_fixed;
+          long long temp_product =
+              static_cast<long long>(grid_layout[i]) * remaining_fixed;
+          change_fixed = temp_product / total_fixed;
          grid_layout[i] += change_fixed;
          remaining_len -= change_fixed;
        }