Bug 1909796 - Allow clip paths larger than int32. r=aosmond

The isEmpty check against path bounds would inadvertently fails because it checks if the width/height would fit in an int32. However, since the bounds will be intersected with a further clip rectangle that is already validated, this check is superfluous and can filter out some valid clip paths. Replacing this check with isEmpty64, which doesn't do the final limit check resolves this issue. Differential Revision: https://phabricator.services.mozilla.com/D218706
2024-08-07 04:42:48 +00:00 · 2024-08-07 04:42:48 +00:00 · 4e34359960
--- a/gfx/skia/skia/src/core/SkAAClip.cpp
+++ b/gfx/skia/skia/src/core/SkAAClip.cpp
@ -1412,7 +1412,9 @@ bool SkAAClip::setPath(const SkPath& path, const SkIRect& clip, bool doAA) {
        ibounds = clip;
    } else {
        path.getBounds().roundOut(&ibounds);
-        if (ibounds.isEmpty() || !ibounds.intersect(clip)) {
+        // Since clip is already validated with isEmpty, it is safe to use isEmpty64
+        // for ibounds as it will be intersected with clip after.
+        if (ibounds.isEmpty64() || !ibounds.intersect(clip)) {
            return this->setEmpty();
        }
    }
--- a/layout/reftests/canvas/1909718-1-ref.html
+++ b/layout/reftests/canvas/1909718-1-ref.html
@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="c" width="200" height="200"></canvas>
+
+<script>
+const c = document.getElementById("c");
+const ctx = c.getContext("2d");
+
+ctx.fillStyle = 'red';
+ctx.fillRect(0, 0, 200, 200);
+
+ctx.beginPath();
+ctx.rect(0, 0, 200, 100);
+ctx.rect(100, 100, 100, 100);
+ctx.clip();
+
+ctx.fillStyle = 'green';
+ctx.fillRect(0, 0, 200, 200);
+
+</script>
+
+</body>
+</html>
--- a/layout/reftests/canvas/1909718-1.html
+++ b/layout/reftests/canvas/1909718-1.html
@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="c" width="200" height="200"></canvas>
+
+<script>
+const c = document.getElementById("c");
+const ctx = c.getContext("2d");
+
+ctx.fillStyle = 'red';
+ctx.fillRect(0, 0, 200, 200);
+
+ctx.beginPath();
+ctx.rect(-6091968027, 0, 2 * 6091968027, 100);
+ctx.rect(100, 100, 100, 100);
+ctx.clip();
+
+ctx.fillStyle = 'green';
+ctx.fillRect(0, 0, 200, 200);
+
+</script>
+
+</body>
+</html>
--- a/layout/reftests/canvas/reftest.list
+++ b/layout/reftests/canvas/reftest.list
@ -127,3 +127,5 @@ fuzzy-if(winWidget,0-94,0-1575) fuzzy-if(cocoaWidget,0-1,0-34) == 1304353-text-g
 != 1850727-1.html 1850727-1-ref.html

 == transformed-line-stroke.html transformed-line-stroke-ref.html
+
+== 1909718-1.html 1909718-1-ref.html