From 1012947a30a5a2481a9bab2073a335744be6d6ae Mon Sep 17 00:00:00 2001 From: MacDue Date: Thu, 11 May 2023 22:14:31 +0100 Subject: [PATCH] LibWeb: Use .to_px_or_zero() in tentative_height_for_replaced_element() If just .to_px() is used the height can end up as the float `inf` or `nan`. This caused an OOM when loading Polygon as this `inf` would become a `nan` and propagate to the SVG painting, which then attempts to draw a path with nan control points, which would make the Gfx::Painter infinitely split the path till it OOM'd. --- Userland/Libraries/LibWeb/Layout/FormattingContext.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Userland/Libraries/LibWeb/Layout/FormattingContext.cpp b/Userland/Libraries/LibWeb/Layout/FormattingContext.cpp index 5d6ea5e744..42816e4fe6 100644 --- a/Userland/Libraries/LibWeb/Layout/FormattingContext.cpp +++ b/Userland/Libraries/LibWeb/Layout/FormattingContext.cpp @@ -495,7 +495,8 @@ CSSPixels FormattingContext::tentative_height_for_replaced_element(LayoutState c if (computed_height.is_auto()) return 150; - return computed_height.to_px(box, available_space.height.to_px()); + // FIXME: Handle cases when available_space is not definite. + return computed_height.to_px(box, available_space.height.to_px_or_zero()); } CSSPixels FormattingContext::compute_height_for_replaced_element(LayoutState const& state, ReplacedBox const& box, AvailableSpace const& available_space)