RESOLVED FIXED 143863
Large values for line-height cause integer overflow in RenderStyle::computedLineHeight 
https://bugs.webkit.org/show_bug.cgi?id=143863
Summary Large values for line-height cause integer overflow in RenderStyle::computedL...
Bem Jones-Bey
Reported 2015-04-16 21:48:00 PDT
This was filed in Blink (https://code.google.com/p/chromium/issues/detail?id=458461), but WebKit has the same issue.
Attachments
Patch (3.99 KB, patch)
2015-04-16 21:56 PDT, Bem Jones-Bey 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Bem Jones-Bey
Comment 1 2015-04-16 21:56:59 PDT
Created attachment 251003 [details] Patch
Rob Buis
Comment 2 2015-04-17 10:40:10 PDT
Comment on attachment 251003 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=251003&action=review Looks good. > Source/WebCore/rendering/style/RenderStyle.cpp:1411 > + return clampTo<int>(lh.value()); I wonder if this does too much work compared to the Blink approach, since AFAIK the CSS Parser will not allow a negative value here.
Bem Jones-Bey
Comment 3 2015-04-17 14:56:10 PDT
(In reply to comment #2) > Comment on attachment 251003 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=251003&action=review > > Looks good. > > > Source/WebCore/rendering/style/RenderStyle.cpp:1411 > > + return clampTo<int>(lh.value()); > > I wonder if this does too much work compared to the Blink approach, since > AFAIK the CSS Parser will not allow a negative value here. Unless we have proof that the extra check is a bottleneck, I feel like using clampTo is more readable and simpler than the alternative.
WebKit Commit Bot
Comment 4 2015-04-17 15:26:51 PDT
Comment on attachment 251003 [details] Patch Clearing flags on attachment: 251003 Committed r182974: <http://trac.webkit.org/changeset/182974>
WebKit Commit Bot
Comment 5 2015-04-17 15:26:54 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.