Bug 1758824 - Prevent integer overflow in nsFloatManager::ShapeInfo::XInterceptAtY(). r=emilio

`aY * aY` or `aRadiusY * aRadiusY` can lead to 32-bit integer overflow, resulting a negative number. Then `sqrt()` will produce a `nan` on a negative number. We should compute the `y/radiusY` division, and then square the result. Differential Revision: https://phabricator.services.mozilla.com/D149951
2022-06-24 04:59:29 +00:00 · 2022-06-24 04:59:29 +00:00 · e6e61d19e4
--- a/layout/generic/nsFloatManager.cpp
+++ b/layout/generic/nsFloatManager.cpp
@ -2812,7 +2812,9 @@ nscoord nsFloatManager::ShapeInfo::XInterceptAtY(const nscoord aY,
                                                 const nscoord aRadiusY) {
  // Solve for x in the ellipse equation (x/radiusX)^2 + (y/radiusY)^2 = 1.
  MOZ_ASSERT(aRadiusY > 0);
-  return aRadiusX * std::sqrt(1 - (aY * aY) / double(aRadiusY * aRadiusY));
+  const auto ratioY = aY / static_cast<double>(aRadiusY);
+  MOZ_ASSERT(ratioY <= 1, "Why is position y outside of the radius on y-axis?");
+  return NSToCoordTrunc(aRadiusX * std::sqrt(1 - ratioY * ratioY));
 }

 /* static */
--- a/testing/web-platform/tests/css/css-shapes/shape-outside/supported-shapes/circle/shape-outside-circle-integer-overflow-crash.html
+++ b/testing/web-platform/tests/css/css-shapes/shape-outside/supported-shapes/circle/shape-outside-circle-integer-overflow-crash.html
@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<link rel="author" title="Mozilla" href="http://www.mozilla.org/">
+<link rel="help" href="https://drafts.csswg.org/css-shapes-1/#supported-basic-shapes">
+<link rel="help" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1758824">
+
+<style>
+#a {
+  float: right;
+  padding: 30em;
+  shape-outside: margin-box circle(81% at -1px 0px);
+}
+</style>
+<output>
+<shadow id="a">
+<svg>
+</shadow>
+<marquee></marquee>
--- a/testing/web-platform/tests/css/css-shapes/shape-outside/supported-shapes/ellipse/shape-outside-ellipse-integer-overflow-crash.html
+++ b/testing/web-platform/tests/css/css-shapes/shape-outside/supported-shapes/ellipse/shape-outside-ellipse-integer-overflow-crash.html
@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<link rel="author" title="Mozilla" href="http://www.mozilla.org/">
+<link rel="help" href="https://drafts.csswg.org/css-shapes-1/#supported-basic-shapes">
+<link rel="help" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1620671">
+
+<style>
+.a {
+  float: left;
+  min-height: 99vw;
+  shape-outside: ellipse(61% 100% at 34% 62%);
+}
+</style>
+<button class="a">