[FCP++] Image: int-multiply overflow

ImagePaintTimingDetector has an overflow issue in multiplying two integers (height*width). In this patch we will use rect.Size().Area() to compute the size. As the function has handled the overflown issue properly, we can use it to fix the bug. The fix has been verified with a local run of the Cluster Fuzz. Bug: 969295 Change-Id: I67fda6339bbcbc8346b02397031d9a73c3c61f4b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1643091Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org> Commit-Queue: Liquan (Max) Gu <maxlg@chromium.org> Cr-Commit-Position: refs/heads/master@{#666280}

[FCP++] Image: int-multiply overflow
ImagePaintTimingDetector has an overflow issue in multiplying two integers (height*width). In this patch we will use rect.Size().Area() to compute the size. As the function has handled the overflown issue properly, we can use it to fix the bug. The fix has been verified with a local run of the Cluster Fuzz. Bug: 969295 Change-Id: I67fda6339bbcbc8346b02397031d9a73c3c61f4b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1643091Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org> Commit-Queue: Liquan (Max) Gu <maxlg@chromium.org> Cr-Commit-Position: refs/heads/master@{#666280}
b5f23e7e · Liquan(Max) Gu · Commit Bot · cdf306db · b5f23e7e
Commit b5f23e7e authored Jun 05, 2019 by Liquan(Max) Gu Committed by Commit Bot Jun 05, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 4 deletions

third_party/blink/renderer/core/paint/image_paint_timing_detector.cc .../blink/renderer/core/paint/image_paint_timing_detector.cc +3 -4

No files found.
--- a/third_party/blink/renderer/core/paint/image_paint_timing_detector.cc
+++ b/third_party/blink/renderer/core/paint/image_paint_timing_detector.cc
@@ -47,6 +47,7 @@ uint64_t DownScaleIfIntrinsicSizeIsSmaller(
  // |visual_size| * min(|displayed_image_size|, |intrinsic_image_size|) /
  // |displayed_image_size|
  if (intrinsic_image_size < displayed_image_size) {
+    DCHECK_GT(displayed_image_size, 0u);
    return static_cast<double>(visual_size) * intrinsic_image_size /
           displayed_image_size;
  }
@@ -259,8 +260,7 @@ void ImagePaintTimingDetector::RecordBackgroundImage(
          .Size()
          .Area();
  rect_size = DownScaleIfIntrinsicSizeIsSmaller(
-      rect_size, intrinsic_size.Area(),
-      (visual_rect.Width() * visual_rect.Height()));
+      rect_size, intrinsic_size.Area(), visual_rect.Size().Area());

  if (rect_size == 0) {
    // Each invisible background image is tracked by its node id. In other
@@ -321,8 +321,7 @@ void ImagePaintTimingDetector::RecordImage(
          .Size()
          .Area();
  rect_size = DownScaleIfIntrinsicSizeIsSmaller(
-      rect_size, intrinsic_size.Area(),
-      visual_rect.Width() * visual_rect.Height());
+      rect_size, intrinsic_size.Area(), visual_rect.Size().Area());
  DVLOG(2) << "Node id (" << node_id << "): size=" << rect_size
           << ", type=" << object.DebugName();
  if (rect_size == 0) {