LibWeb: Do not shrink the CPU painter's corner clipping vector

If the provided ID is smaller than the corner clipping vector, we would shrink the vector to match. This causes a crash when we have nested PaintContext instances (as these IDs are allocated by PaintContext), each of which perform radius painting. This is seen on https://www.strava.com/login when it loads a reCAPTCHA. The outer div has a border radius, which contains the reCAPTCHA in an iframe. That iframe contains an SVG which also has a border radius.
2025-07-25 21:07:35 +00:00 · 2024-03-09 15:37:24 -05:00 · 2024-03-09 15:37:24 -05:00 · 842caf5e8c
commit 842caf5e8c
parent 3a8c81a460
4 changed files with 24 additions and 1 deletions
--- a/Userland/Libraries/LibWeb/Painting/CommandExecutorCPU.cpp
+++ b/Userland/Libraries/LibWeb/Painting/CommandExecutorCPU.cpp
@ -461,7 +461,9 @@ CommandResult CommandExecutorCPU::draw_triangle_wave(Gfx::IntPoint const& p1, Gf

 CommandResult CommandExecutorCPU::sample_under_corners(u32 id, CornerRadii const& corner_radii, Gfx::IntRect const& border_rect, CornerClip corner_clip)
 {
-    m_corner_clippers.resize(id + 1);
+    if (id >= m_corner_clippers.size())
+        m_corner_clippers.resize(id + 1);
+
    auto clipper = BorderRadiusCornerClipper::create(corner_radii, border_rect.to_type<DevicePixels>(), corner_clip);
    m_corner_clippers[id] = clipper.release_value_but_fixme_should_propagate_errors();
    m_corner_clippers[id]->sample_under_corners(painter());