Bug 19964 - divide by zero crash in RenderBox::calculateBackgroundSize with 0,0 bmp background image
Summary: divide by zero crash in RenderBox::calculateBackgroundSize with 0,0 bmp backg...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 528+ (Nightly build)
Hardware: All OS X 10.5
: P3 Major
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-07-09 11:33 PDT by Alexander Mohr
Modified: 2008-09-02 23:23 PDT (History)
0 users

See Also:

Attachments
sample 0,0 bitmap (60 bytes, image/bmp)
2008-07-09 11:35 PDT, Alexander Mohr 		no flags Details
page that links to 0,0 bitmap bugfile that causes crash (205 bytes, text/html)
2008-07-09 11:43 PDT, Alexander Mohr 		no flags Details
Proposed fix (4.86 KB, patch)
2008-07-25 13:19 PDT, Chris Brichford 		chrisb: review-
Details | Formatted Diff | Diff
New patch for bug 19964 (3.47 KB, patch)
2008-08-06 08:33 PDT, Mihnea Ovidenie 		darin: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Mohr 2008-07-09 11:33:27 PDT 
there's a divide by zero crash in RenderBox::calculateBackgroundSize when you load a 0,0 bmp as the background image and specify -khtml-background-size

It crashes on:
w = bg->imageSize(this, style()->effectiveZoom()).width() * h / bg->imageSize(this, style()->effectiveZoom()).height();

since bg->imageSize returns 0,0
Comment 1 Alexander Mohr 2008-07-09 11:35:35 PDT 
Created attachment 22187 [details]
sample 0,0 bitmap
Comment 2 Alexander Mohr 2008-07-09 11:43:46 PDT 
Created attachment 22188 [details]
page that links to 0,0 bitmap bugfile that causes crash
Comment 3 Chris Brichford 2008-07-25 10:32:30 PDT 
I suspect change set 31981 introduced this bug when it removed the following statements from RenderBox::imageChanged:

if (!image || !image->canRender(style()->effectiveZoom()) || !parent() || !view()) 
        return;

canRender will return false if the image is zero width or zero height.  If we take the early out in RenderBox::imageChanged we never call calculateBackgroundSize, which assumes that any background images have non-zero height.
Comment 4 Chris Brichford 2008-07-25 13:19:52 PDT 
Created attachment 22479 [details]
Proposed fix

Proposed fix, including LayoutTest.
Comment 5 Chris Brichford 2008-07-25 18:11:51 PDT 
My fix is busted.  Breaks rendering of broken images.
Comment 6 Mihnea Ovidenie 2008-08-06 08:33:25 PDT 
Created attachment 22681 [details]
New patch for bug 19964
Comment 7 Darin Adler 2008-08-21 17:45:20 PDT 
Comment on attachment 22681 [details]
New patch for bug 19964

+        * ChangeLog:

The ChangeLog itself shouldn't be listed in the ChangeLog.

We need a ChangeLog for the LayoutTests directory too, not just WebCore.

Otherwise this patch looks good. I'm going to say review+ but having no patch for LayoutTests does add work for whoever commits the patch.
Comment 8 Mihnea Ovidenie 2008-08-22 01:28:53 PDT 
Hello,
Can you please explain me what did you mean by having no patch for LayoutTests? The patch i submitted included a test for the problem itself: "LayoutTests/css3/khtml-background-size-0x0-bmp.html" and the needed bitmap for the test.

If more tests are needed for the patch to land in the trunk, please tell me and i will be glad to do it.

Regards,
Mihnea Ovidenie


> (From update of attachment 22681 [details] [edit])
> +        * ChangeLog:
> 
> The ChangeLog itself shouldn't be listed in the ChangeLog.
> 
> We need a ChangeLog for the LayoutTests directory too, not just WebCore.
> 
> Otherwise this patch looks good. I'm going to say review+ but having no patch
> for LayoutTests does add work for whoever commits the patch.
>
Comment 9 Mark Rowe (bdash) 2008-09-02 23:23:22 PDT 
Landed in r36047.

Mihnea, what Darin meant is that you did not include a ChangeLog entry for your changes inside LayoutTests.  I added one when I landed the change, but in the future you should include one with your patches.