Bug 309006
| Summary: | RenderTheme::updateSliderTrackPart() may divides by zero when computing datalist tick ratios | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Nikolas Zimmermann <zimmermann> |
| Component: | Layout and Rendering | Assignee: | Nikolas Zimmermann <zimmermann> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bfulgham, simon.fraser, webkit-bug-importer, zalan |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Nikolas Zimmermann
The tick ratio calculation divides by (maximum - minimum) without guarding against zero, unlike the thumb position calculation which already performs this check. When max == min (e.g. max="0"), this produces NaN values that propagate into SliderTrackPart::drawTicks() creating an unsorted FloatRect.
This fixes a crash in imported/w3c/web-platform-tests/html/semantics/forms/the-input-element/invalid-datalist-options-crash.html for the GTK/WPE ports, where the unsorted rect triggers an assertion in SkCanvas::onDrawRect in SKIA_DEBUG enabled builds.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Nikolas Zimmermann
Pull request: https://github.com/WebKit/WebKit/pull/59738
EWS
Committed 308546@main (b859116b450c): <https://commits.webkit.org/308546@main>
Reviewed commits have been landed. Closing PR #59738 and removing active labels.
Radar WebKit Bug Importer
<rdar://problem/171622143>