Fix division by zero in gradient stop calculation

Check if total_length is zero and return 0.0 instead of NaN in this case. Closes #18435 Regression test for crash.
servo · Dec 28, 2017 · 94f3e33 · 94f3e33
1 parent d96fb89
commit 94f3e33
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 0 deletions.
diff --git a/components/layout/display_list_builder.rs b/components/layout/display_list_builder.rs
@@ -798,6 +798,7 @@ fn convert_gradient_stops(gradient_items: &[GradientItem],
                 position_to_offset(position, total_length)
             }
         };
+        assert!(offset.is_finite());
         stops.push(GradientStop {
             offset: offset,
             color: stop.color.to_gfx_color()
@@ -3271,6 +3272,9 @@ struct StopRun {
 }
 
 fn position_to_offset(position: LengthOrPercentage, total_length: Au) -> f32 {
+    if total_length == Au(0) {
+        return 0.0
+    }
     match position {
         LengthOrPercentage::Length(l) => l.to_i32_au() as f32 / total_length.0 as f32,
         LengthOrPercentage::Percentage(percentage) => percentage.0 as f32,

diff --git a/tests/wpt/metadata/MANIFEST.json b/tests/wpt/metadata/MANIFEST.json
@@ -112773,6 +112773,18 @@
      {}
     ]
    ],
+   "css/css-images/gradient-crash.html": [
+    [
+     "/css/css-images/gradient-crash.html",
+     [
+      [
+       "/css/css-images/gradient-crash-ref.html",
+       "=="
+      ]
+     ],
+     {}
+    ]
+   ],
    "css/css-images/gradient-move-stops.html": [
     [
      "/css/css-images/gradient-move-stops.html",
@@ -239589,6 +239601,11 @@
      {}
     ]
    ],
+   "css/css-images/gradient-crash-ref.html": [
+    [
+     {}
+    ]
+   ],
    "css/css-images/gradient-move-stops-ref.html": [
     [
      {}
@@ -481714,6 +481731,14 @@
    "5e74191a82ee45a5441d595c79b2a41b34748038",
    "reftest"
   ],
+  "css/css-images/gradient-crash-ref.html": [
+   "5ad029bf4f73d96fed5eb085b40ea3daeeb7aaf6",
+   "support"
+  ],
+  "css/css-images/gradient-crash.html": [
+   "6dbca7ec2fe3d0596d3ccc50f7a417aa625ad28e",
+   "reftest"
+  ],
   "css/css-images/gradient-move-stops-ref.html": [
    "bb2fca5aaeb7fe1abf30620695ad3fd832c0d089",
    "support"

diff --git a/tests/wpt/web-platform-tests/css/css-images/gradient-crash-ref.html b/tests/wpt/web-platform-tests/css/css-images/gradient-crash-ref.html
@@ -0,0 +1 @@
+<!--intentionally blank-->
diff --git a/tests/wpt/web-platform-tests/css/css-images/gradient-crash.html b/tests/wpt/web-platform-tests/css/css-images/gradient-crash.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Does this gradient crash the browser?</title>
+<link rel="match" href="gradient-crash-ref.html">
+<link rel="help" href="https://drafts.csswg.org/css-images-3/#color-stop-syntax">
+<meta name="assert" content="Gradients with total length zero and absolute positioned stops do not crash.">
+<style>
+  div {
+    background: linear-gradient(black 0,white);
+  }
+</style>
+<div></div>