From da4c62d20027fb8b830a1f47743ccabc2091e18a Mon Sep 17 00:00:00 2001 From: David Shin Date: Wed, 20 Nov 2024 19:49:42 +0000 Subject: [PATCH] Bug 1931933: Use CSSMinMax instead of std::clamp in nsTextControlFrame::GetNaturalBaselineBOffset. r=layout-reviewers,emilio There is no guarantee that the block size is positive, since the size can overflow. Differential Revision: https://phabricator.services.mozilla.com/D229678 --- layout/base/crashtests/1931933.html | 13 +++++++++++++ layout/base/crashtests/crashtests.list | 1 + layout/forms/nsTextControlFrame.cpp | 2 +- 3 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 layout/base/crashtests/1931933.html diff --git a/layout/base/crashtests/1931933.html b/layout/base/crashtests/1931933.html new file mode 100644 index 000000000000..a2891916f725 --- /dev/null +++ b/layout/base/crashtests/1931933.html @@ -0,0 +1,13 @@ + + +
diff --git a/layout/base/crashtests/crashtests.list b/layout/base/crashtests/crashtests.list index 85b6128f4b39..1adfc01ea0c7 100644 --- a/layout/base/crashtests/crashtests.list +++ b/layout/base/crashtests/crashtests.list @@ -566,3 +566,4 @@ pref(layout.accessiblecaret.enabled,true) load 1819239.html load 1821469.html load 1849898-1.html load 1929445.html +asserts(1-3) load 1931933.html diff --git a/layout/forms/nsTextControlFrame.cpp b/layout/forms/nsTextControlFrame.cpp index b0d69813f0e8..ea5d0bf7f152 100644 --- a/layout/forms/nsTextControlFrame.cpp +++ b/layout/forms/nsTextControlFrame.cpp @@ -1243,7 +1243,7 @@ Maybe nsTextControlFrame::GetNaturalBaselineBOffset( } if (aBaselineGroup == BaselineSharingGroup::First) { - return Some(std::clamp(mFirstBaseline, 0, BSize(aWM))); + return Some(CSSMinMax(mFirstBaseline, 0, BSize(aWM))); } // This isn't great, but the content of the root NAC isn't guaranteed // to be loaded, so the best we can do is the edge of the border-box.