From b7cc7543a2888be18dc97ad3dee24ca6314179e8 Mon Sep 17 00:00:00 2001
From: JC Alvarado <joncarlo@apple.com>
Date: Tue, 31 Jan 2023 13:06:23 -0800
Subject: [PATCH] Cherry-pick 259548.8@safari-7615-branch (5a0f792b008f).
 https://bugs.webkit.org/show_bug.cgi?id=251158

    Check color opacity after lossy conversion when blending
    https://bugs.webkit.org/show_bug.cgi?id=251158
    rdar://104553839

    Reviewed by Dean Jackson.

    We check opacity to determine if we should forgo blending,
    however after performing a lossy conversion we can end
    up with alpha values that result in a division by zero.
    Add an additional check after conversion to prevent this
    case.

    * LayoutTests/fast/backgrounds/background-color-lch-crash-expected.txt: Added.
    * LayoutTests/fast/backgrounds/background-color-lch-crash.html: Added.
    * Source/WebCore/platform/graphics/ColorBlending.cpp:
    (WebCore::blendSourceOver):

    Canonical link: https://commits.webkit.org/259548.8@safari-7615-branch
---
 .../background-color-lch-crash-expected.txt        |  1 +
 .../backgrounds/background-color-lch-crash.html    | 14 ++++++++++++++
 Source/WebCore/platform/graphics/ColorBlending.cpp |  6 ++++++
 3 files changed, 21 insertions(+)
 create mode 100644 LayoutTests/fast/backgrounds/background-color-lch-crash-expected.txt
 create mode 100644 LayoutTests/fast/backgrounds/background-color-lch-crash.html

diff --git a/LayoutTests/fast/backgrounds/background-color-lch-crash-expected.txt b/LayoutTests/fast/backgrounds/background-color-lch-crash-expected.txt
new file mode 100644
index 000000000000..71c4f8559439
--- /dev/null
+++ b/LayoutTests/fast/backgrounds/background-color-lch-crash-expected.txt
@@ -0,0 +1 @@
+This test passes if it does not crash
diff --git a/LayoutTests/fast/backgrounds/background-color-lch-crash.html b/LayoutTests/fast/backgrounds/background-color-lch-crash.html
new file mode 100644
index 000000000000..f622f4d658a1
--- /dev/null
+++ b/LayoutTests/fast/backgrounds/background-color-lch-crash.html
@@ -0,0 +1,14 @@
+<style>
+    html, body {
+      background-color: lch(0 0 0 / 0.001);
+    }
+  </style>
+  <script>
+    internals.settings.setCaretBrowsingEnabled(true);
+    onload = () => {
+      document.execCommand('SelectAll');
+    };
+    if (window.testRunner)
+        testRunner.dumpAsText();
+  </script>
+  <span>This test passes if it does not crash</span>
\ No newline at end of file
diff --git a/Source/WebCore/platform/graphics/ColorBlending.cpp b/Source/WebCore/platform/graphics/ColorBlending.cpp
index 47c6eaaee1e6..5f89021d64ad 100644
--- a/Source/WebCore/platform/graphics/ColorBlending.cpp
+++ b/Source/WebCore/platform/graphics/ColorBlending.cpp
@@ -42,6 +42,12 @@ Color blendSourceOver(const Color& backdrop, const Color& source)
     auto [backdropR, backdropG, backdropB, backdropA] = backdrop.toColorTypeLossy<SRGBA<uint8_t>>().resolved();
     auto [sourceR, sourceG, sourceB, sourceA] = source.toColorTypeLossy<SRGBA<uint8_t>>().resolved();
 
+    if (!backdropA || sourceA == 255)
+        return source;
+
+    if (!sourceA)
+        return backdrop;
+
     int d = 0xFF * (backdropA + sourceA) - backdropA * sourceA;
     int a = d / 0xFF;
     int r = (backdropR * backdropA * (0xFF - sourceA) + 0xFF * sourceA * sourceR) / d;