From c43116773673d1d5e24ad2e3df0d530f1fb75d36 Mon Sep 17 00:00:00 2001
From: Aliaksandr Kalenik <kalenik.aliaksandr@gmail.com>
Date: Tue, 25 Jul 2023 14:46:44 +0200
Subject: [PATCH] LibWeb: Implement subtraction using saturated_addition in
 CSSPixels

Fixes overflow bug found by UBSAN.
---
 Tests/LibWeb/TestCSSPixels.cpp           | 11 +++++++++++
 Userland/Libraries/LibWeb/PixelUnits.cpp |  2 +-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/Tests/LibWeb/TestCSSPixels.cpp b/Tests/LibWeb/TestCSSPixels.cpp
index 84c695557b..7c78cbab9d 100644
--- a/Tests/LibWeb/TestCSSPixels.cpp
+++ b/Tests/LibWeb/TestCSSPixels.cpp
@@ -76,4 +76,15 @@ TEST_CASE(comparison2)
     EXPECT_EQ(CSSPixels(123) == CSSPixels(123), true);
 }
 
+TEST_CASE(saturated_addition)
+{
+    EXPECT_EQ(CSSPixels(INFINITY), CSSPixels(INFINITY) + 1);
+}
+
+TEST_CASE(saturated_subtraction)
+{
+    auto value = CSSPixels(INFINITY);
+    EXPECT_EQ(value - -1, CSSPixels(INFINITY));
+}
+
 }
diff --git a/Userland/Libraries/LibWeb/PixelUnits.cpp b/Userland/Libraries/LibWeb/PixelUnits.cpp
index 61551ab594..6fc367a8f3 100644
--- a/Userland/Libraries/LibWeb/PixelUnits.cpp
+++ b/Userland/Libraries/LibWeb/PixelUnits.cpp
@@ -112,7 +112,7 @@ CSSPixels CSSPixels::operator+(CSSPixels const& other) const
 CSSPixels CSSPixels::operator-(CSSPixels const& other) const
 {
     CSSPixels result;
-    result.set_raw_value(raw_value() - other.raw_value());
+    result.set_raw_value(saturated_addition(raw_value(), -other.raw_value()));
     return result;
 }