256165 – UBSan: RenderObjects sets height to number that doesn't fit in an integer

Bug 256165 - UBSan: RenderObjects sets height to number that doesn't fit in an integer

Summary: UBSan: RenderObjects sets height to number that doesn't fit in an integer

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-05-01 08:57 PDT by Seija K.
Modified:	2023-05-08 08:58 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Seija K. 2023-05-01 08:57:40 PDT

If geometries has size 0 or whenever working on the first geometry, the height can be set to INT_MAX - INT_MIN, which cannot fit in a signed integer. We need to avoid this by specializing those cases.

Comment 1 Seija K. 2023-05-01 09:01:20 PDT

Pull request: https://github.com/WebKit/WebKit/pull/13329

Comment 2 Radar WebKit Bug Importer 2023-05-08 08:58:19 PDT

<rdar://problem/109041952>