Bug 19964

Summary:

divide by zero crash in RenderBox::calculateBackgroundSize with 0,0 bmp background image

Product:

WebKit

Reporter:

Alexander Mohr <amohr>

Component:

CSS

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Major

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

OS X 10.5

Attachments:

Description	Flags
sample 0,0 bitmap	none
page that links to 0,0 bitmap bugfile that causes crash	none
Proposed fix	chrisb: review-
New patch for bug 19964	darin: review+

Alexander Mohr

Reported 2008-07-09 11:33:27 PDT

there's a divide by zero crash in RenderBox::calculateBackgroundSize when you load a 0,0 bmp as the background image and specify -khtml-background-size It crashes on: w = bg->imageSize(this, style()->effectiveZoom()).width() * h / bg->imageSize(this, style()->effectiveZoom()).height(); since bg->imageSize returns 0,0

Attachments
sample 0,0 bitmap (60 bytes, image/bmp) 2008-07-09 11:35 PDT, Alexander Mohr	no flags	Details
page that links to 0,0 bitmap bugfile that causes crash (205 bytes, text/html) 2008-07-09 11:43 PDT, Alexander Mohr	no flags	Details
Proposed fix (4.86 KB, patch) 2008-07-25 13:19 PDT, Chris Brichford	chrisb: review-	Details Formatted Diff Diff
New patch for bug 19964 (3.47 KB, patch) 2008-08-06 08:33 PDT, Mihnea Ovidenie	darin: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Alexander Mohr

Comment 1 2008-07-09 11:35:35 PDT

Created attachment 22187 [details] sample 0,0 bitmap

Alexander Mohr

Comment 2 2008-07-09 11:43:46 PDT

Created attachment 22188 [details] page that links to 0,0 bitmap bugfile that causes crash

Chris Brichford

Comment 3 2008-07-25 10:32:30 PDT

I suspect change set 31981 introduced this bug when it removed the following statements from RenderBox::imageChanged: if (!image || !image->canRender(style()->effectiveZoom()) || !parent() || !view()) return; canRender will return false if the image is zero width or zero height. If we take the early out in RenderBox::imageChanged we never call calculateBackgroundSize, which assumes that any background images have non-zero height.

Chris Brichford

Comment 4 2008-07-25 13:19:52 PDT

Created attachment 22479 [details] Proposed fix Proposed fix, including LayoutTest.

Chris Brichford

Comment 5 2008-07-25 18:11:51 PDT

My fix is busted. Breaks rendering of broken images.

Mihnea Ovidenie

Comment 6 2008-08-06 08:33:25 PDT

Created attachment 22681 [details] New patch for bug 19964

Darin Adler

Comment 7 2008-08-21 17:45:20 PDT

Comment on attachment 22681 [details] New patch for bug 19964 + * ChangeLog: The ChangeLog itself shouldn't be listed in the ChangeLog. We need a ChangeLog for the LayoutTests directory too, not just WebCore. Otherwise this patch looks good. I'm going to say review+ but having no patch for LayoutTests does add work for whoever commits the patch.

Mihnea Ovidenie

Comment 8 2008-08-22 01:28:53 PDT

Hello, Can you please explain me what did you mean by having no patch for LayoutTests? The patch i submitted included a test for the problem itself: "LayoutTests/css3/khtml-background-size-0x0-bmp.html" and the needed bitmap for the test. If more tests are needed for the patch to land in the trunk, please tell me and i will be glad to do it. Regards, Mihnea Ovidenie > (From update of attachment 22681 [details] [edit]) > + * ChangeLog: > > The ChangeLog itself shouldn't be listed in the ChangeLog. > > We need a ChangeLog for the LayoutTests directory too, not just WebCore. > > Otherwise this patch looks good. I'm going to say review+ but having no patch > for LayoutTests does add work for whoever commits the patch. >

Mark Rowe (bdash)

Comment 9 2008-09-02 23:23:22 PDT

Landed in r36047. Mihnea, what Darin meant is that you did not include a ChangeLog entry for your changes inside LayoutTests. I added one when I landed the change, but in the future you should include one with your patches.

Note You need to log in before you can comment on or make changes to this bug.