Clamp frameset cols/rows values safely to integers.

Avoid undefined behavior, such as negative values, when casting from double to int. Bug: 1116832 Change-Id: I49d4d5c6e73a9441d20c8a502c3d9d8cff71b7d6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2528529Reviewed-by: Christian Biesinger <cbiesinger@chromium.org> Commit-Queue: Morten Stenshorne <mstensho@chromium.org> Cr-Commit-Position: refs/heads/master@{#825754}

Clamp frameset cols/rows values safely to integers.
Avoid undefined behavior, such as negative values, when casting from double to int. Bug: 1116832 Change-Id: I49d4d5c6e73a9441d20c8a502c3d9d8cff71b7d6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2528529Reviewed-by: Christian Biesinger <cbiesinger@chromium.org> Commit-Queue: Morten Stenshorne <mstensho@chromium.org> Cr-Commit-Position: refs/heads/master@{#825754}
7091ff7b · Morten Stenshorne · Commit Bot · bf6393ed · 7091ff7b · 7091ff7b
Commit 7091ff7b authored Nov 10, 2020 by Morten Stenshorne Committed by Commit Bot Nov 10, 2020
11 changed files
--- a/third_party/blink/renderer/core/layout/layout_frame_set.cc
+++ b/third_party/blink/renderer/core/layout/layout_frame_set.cc
@@ -112,7 +112,7 @@ void LayoutFrameSet::LayOutAxis(GridAxis& axis,
    // Count the total length of all of the fixed columns/rows -> totalFixed.
    // Count the number of columns/rows which are fixed -> countFixed.
    if (grid[i].IsAbsolute()) {
-      grid_layout[i] = max<int>(grid[i].Value() * effective_zoom, 0);
+      grid_layout[i] = clampTo<int>(max(grid[i].Value() * effective_zoom, 0.0));
      total_fixed += grid_layout[i];
      count_fixed++;
    }
@@ -121,7 +121,8 @@ void LayoutFrameSet::LayOutAxis(GridAxis& axis,
    // totalPercent. Count the number of columns/rows which are percentages ->
    // countPercent.
    if (grid[i].IsPercentage()) {
-      grid_layout[i] = max<int>(grid[i].Value() * available_len / 100., 0);
+      grid_layout[i] =
+          clampTo<int>(max(grid[i].Value() * available_len / 100., 0.0));
      total_percent += grid_layout[i];
      count_percent++;
    }
@@ -130,7 +131,7 @@ void LayoutFrameSet::LayOutAxis(GridAxis& axis,
    // totalRelative. Count the number of columns/rows which are relative ->
    // countRelative.
    if (grid[i].IsRelative()) {
-      total_relative += max<int>(grid[i].Value(), 1);
+      total_relative += clampTo<int>(max(grid[i].Value(), 1.0));
      count_relative++;
    }
  }

--- a/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/OWNERS
+++ b/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/OWNERS
+# TEAM: layout-dev@chromium.org
+# COMPONENT: Blink>Layout
+# WPT-NOTIFY: true
--- a/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/large-cols-abssize.html
+++ b/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/large-cols-abssize.html
+<!DOCTYPE html>
+<link rel="author" title="Morten Stenshorne" href="mailto:mstensho@chromium.org">
+<link rel="help" href="https://html.spec.whatwg.org/multipage/rendering.html#frames-and-framesets">
+<link rel="help" href="https://bugs.chromium.org/p/chromium/issues/detail?id=1116832">
+<link rel="match" href="reference/green-ref.html">
+<frameset cols="4294967227%,*" frameborder="0">
+  <frame src="resources/green.html">
+  <frame src="resources/red.html">
+</frameset>
--- a/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/large-cols-percentage.html
+++ b/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/large-cols-percentage.html
+<!DOCTYPE html>
+<link rel="author" title="Morten Stenshorne" href="mailto:mstensho@chromium.org">
+<link rel="help" href="https://html.spec.whatwg.org/multipage/rendering.html#frames-and-framesets">
+<link rel="help" href="https://bugs.chromium.org/p/chromium/issues/detail?id=1116832">
+<link rel="match" href="reference/green-ref.html">
+<frameset cols="4294967227%,*" frameborder="0">
+  <frame src="resources/green.html">
+  <frame src="resources/red.html">
+</frameset>
--- a/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/large-cols-relsize.html
+++ b/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/large-cols-relsize.html
+<!DOCTYPE html>
+<link rel="author" title="Morten Stenshorne" href="mailto:mstensho@chromium.org">
+<link rel="help" href="https://html.spec.whatwg.org/multipage/rendering.html#frames-and-framesets">
+<link rel="help" href="https://bugs.chromium.org/p/chromium/issues/detail?id=1116832">
+<link rel="match" href="reference/green-ref.html">
+<frameset cols="4294967227*,*" frameborder="0">
+  <frame src="resources/green.html">
+  <frame src="resources/red.html">
+</frameset>
--- a/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/large-rows-abssize.html
+++ b/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/large-rows-abssize.html
+<!DOCTYPE html>
+<link rel="author" title="Morten Stenshorne" href="mailto:mstensho@chromium.org">
+<link rel="help" href="https://html.spec.whatwg.org/multipage/rendering.html#frames-and-framesets">
+<link rel="help" href="https://bugs.chromium.org/p/chromium/issues/detail?id=1116832">
+<link rel="match" href="reference/green-ref.html">
+<frameset rows="4294967227%,*" frameborder="0">
+  <frame src="resources/green.html">
+  <frame src="resources/red.html">
+</frameset>
--- a/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/large-rows-percentage.html
+++ b/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/large-rows-percentage.html
+<!DOCTYPE html>
+<link rel="author" title="Morten Stenshorne" href="mailto:mstensho@chromium.org">
+<link rel="help" href="https://html.spec.whatwg.org/multipage/rendering.html#frames-and-framesets">
+<link rel="help" href="https://bugs.chromium.org/p/chromium/issues/detail?id=1116832">
+<link rel="match" href="reference/green-ref.html">
+<frameset rows="4294967227%,*" frameborder="0">
+  <frame src="resources/green.html">
+  <frame src="resources/red.html">
+</frameset>
--- a/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/large-rows-relsize.html
+++ b/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/large-rows-relsize.html
+<!DOCTYPE html>
+<link rel="author" title="Morten Stenshorne" href="mailto:mstensho@chromium.org">
+<link rel="help" href="https://html.spec.whatwg.org/multipage/rendering.html#frames-and-framesets">
+<link rel="help" href="https://bugs.chromium.org/p/chromium/issues/detail?id=1116832">
+<link rel="match" href="reference/green-ref.html">
+<frameset rows="4294967227*,*" frameborder="0">
+  <frame src="resources/green.html">
+  <frame src="resources/red.html">
+</frameset>
--- a/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/reference/green-ref.html
+++ b/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/reference/green-ref.html
+<!DOCTYPE html>
+<link rel="author" title="Morten Stenshorne" href="mailto:mstensho@chromium.org">
+<style>
+  body { background: green; }
+</style>
--- a/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/resources/green.html
+++ b/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/resources/green.html
+<!DOCTYPE html>
+<link rel="author" title="Morten Stenshorne" href="mailto:mstensho@chromium.org">
+<style>
+  body { background: green; }
+</style>
--- a/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/resources/red.html
+++ b/third_party/blink/web_tests/external/wpt/html/rendering/non-replaced-elements/the-frameset-and-frame-elements/resources/red.html
+<!DOCTYPE html>
+<link rel="author" title="Morten Stenshorne" href="mailto:mstensho@chromium.org">
+<style>
+  body { background: red; }
+</style>