Crash in FontCache::releaseFontData due to infinite float size.
https://bugs.webkit.org/show_bug.cgi?id=86110
Reviewed by Andreas Kling.
Source/WebCore:
New callers always forget to clamp the font size, which overflows
to infinity on multiplication. It is best to clamp it at the end
to avoid getting greater than std::numeric_limits<float>::max().
Test: fast/css/large-font-size-crash.html
* platform/graphics/FontDescription.h:
(WebCore::FontDescription::setComputedSize):
(WebCore::FontDescription::setSpecifiedSize):
LayoutTests:
* fast/css/large-font-size-crash-expected.txt: Added.
* fast/css/large-font-size-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@116698 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 71b39a6..936ddcf 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2012-05-10 Abhishek Arya <inferno@chromium.org>
+
+ Crash in FontCache::releaseFontData due to infinite float size.
+ https://bugs.webkit.org/show_bug.cgi?id=86110
+
+ Reviewed by Andreas Kling.
+
+ * fast/css/large-font-size-crash-expected.txt: Added.
+ * fast/css/large-font-size-crash.html: Added.
+
2012-05-10 Eric Seidel <eric@webkit.org>
Make IFRAME_SEAMLESS child documents inherit styles from their parent iframe element
diff --git a/LayoutTests/fast/css/large-font-size-crash-expected.txt b/LayoutTests/fast/css/large-font-size-crash-expected.txt
new file mode 100644
index 0000000..2afa0bf
--- /dev/null
+++ b/LayoutTests/fast/css/large-font-size-crash-expected.txt
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
diff --git a/LayoutTests/fast/css/large-font-size-crash.html b/LayoutTests/fast/css/large-font-size-crash.html
new file mode 100755
index 0000000..7dedfa7
--- /dev/null
+++ b/LayoutTests/fast/css/large-font-size-crash.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<body style='font: 9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999in Ahem;'>
+PASS. WebKit didn't crash.
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index ea04619..6bfcbdf 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2012-05-10 Abhishek Arya <inferno@chromium.org>
+
+ Crash in FontCache::releaseFontData due to infinite float size.
+ https://bugs.webkit.org/show_bug.cgi?id=86110
+
+ Reviewed by Andreas Kling.
+
+ New callers always forget to clamp the font size, which overflows
+ to infinity on multiplication. It is best to clamp it at the end
+ to avoid getting greater than std::numeric_limits<float>::max().
+
+ Test: fast/css/large-font-size-crash.html
+
+ * platform/graphics/FontDescription.h:
+ (WebCore::FontDescription::setComputedSize):
+ (WebCore::FontDescription::setSpecifiedSize):
+
2012-05-10 Beth Dakin <bdakin@apple.com>
https://bugs.webkit.org/show_bug.cgi?id=82131
diff --git a/Source/WebCore/platform/graphics/FontDescription.h b/Source/WebCore/platform/graphics/FontDescription.h
index 86b8dfb..534f460 100644
--- a/Source/WebCore/platform/graphics/FontDescription.h
+++ b/Source/WebCore/platform/graphics/FontDescription.h
@@ -138,8 +138,8 @@
FontDescription makeNormalFeatureSettings() const;
void setFamily(const FontFamily& family) { m_familyList = family; }
- void setComputedSize(float s) { ASSERT(isfinite(s)); m_computedSize = s; }
- void setSpecifiedSize(float s) { ASSERT(isfinite(s)); m_specifiedSize = s; }
+ void setComputedSize(float s) { m_computedSize = clampToFloat(s); }
+ void setSpecifiedSize(float s) { m_specifiedSize = clampToFloat(s); }
void setItalic(FontItalic i) { m_italic = i; }
void setItalic(bool i) { setItalic(i ? FontItalicOn : FontItalicOff); }
void setSmallCaps(FontSmallCaps c) { m_smallCaps = c; }
