[css-tables] Fix divide-by-zero resulting from 32-bit overflow

[css-tables] Fix divide-by-zero resulting from 32-bit overflow

When col/colgroup spans added up to exactly 2^32, the result would
overflow to 0, which was the divisor for a later operation.

This patch clamps col spans to 8190, matching cell colspans. This makes
the problem harder to trigger but doesn't eliminate it.

BUG=660581
Committed: https://crrev.com/e47aea373e0ec97912b63c51797650dc55311336
Cr-Commit-Position: refs/heads/master@{#439041}

[dgrogan, 2016-11-22 00:35:30]

dgrogan@chromium.org changed reviewers:
+ mstensho@opera.com

[dgrogan, 2016-11-22 00:35:31]

Hi Morten,

As the description says, this patch doesn't eliminate the problem. But to
trigger you'd now have to stuff >500k (=~ 2^32 / 8190) col elements into a page
AND overflow 2^32, which at least makes it less likely. And it was already
obscure because we haven't had a user report of it yet, just clusterfuzz.

But if you see an easy way to eliminate the chance of overflow, let me know.
Seems like we'd have to detect cols that push the sum over 2^32 and ignore them
and any followers.

WDYT?

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/html/HTMLTableCellElement.cpp (right):

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/html/HTMLTableCellElement.cpp:115: if (name ==
rowspanAttr || name == colspanAttr) {
No behavior change, just code simplification while I'm here.

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/html/HTMLTableColElement.cpp (right):

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/html/HTMLTableColElement.cpp:74: newSpan =
std::min(
The real behavior change.

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/layout/TableLayoutAlgorithmFixed.cpp
(right):

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/layout/TableLayoutAlgorithmFixed.cpp:299:
DCHECK_GE(autoSpan, numAuto);
The reproduction triggered this because autoSpan was 0 and numAuto was 2.

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/layout/TableLayoutAlgorithmFixed.cpp:306: int w =
remainingWidth * span / autoSpan;
This is where the /0 happened.

[mstensho (USE GERRIT), 2016-11-22 07:04:29]

lgtm

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Layo...
File third_party/WebKit/LayoutTests/fast/table/large-col-span-crash.html
(right):

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Layo...
third_party/WebKit/LayoutTests/fast/table/large-col-span-crash.html:1: <!doctype
html>
Could turn this into a testharness test, to get rid of the expectation file.

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Layo...
third_party/WebKit/LayoutTests/fast/table/large-col-span-crash.html:6: /* vv
just to get a green square vv */
Not so interesting, since this isn't a visual test.

But you could turn it into a testharness test and check the width and height, of
course. :)

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/html/HTMLTableCellElement.cpp (right):

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/html/HTMLTableCellElement.cpp:54: return max(1u,
min(value, static_cast<unsigned>(kMaxColSpan)));
Could perhaps add static unsigned HTMLTableCellElement::maxColSpan() and
maxRowSpan() getters (that just return kMaxFoo, or maybe just remove the new
enum and return hard-coded values - not sure what's nicer), to get rid of this
cast here?

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/html/HTMLTableCellElement.cpp:115: if (name ==
rowspanAttr || name == colspanAttr) {
On 2016/11/22 00:35:31, dgrogan (back Nov 28) wrote:
> No behavior change, just code simplification while I'm here.

Nice! Less for everyone to read and process. :)

[dgrogan, 2016-12-01 21:10:30]

Patchset #1 (id:1) has been deleted

[dgrogan, 2016-12-01 21:51:45]

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Layo...
File third_party/WebKit/LayoutTests/fast/table/large-col-span-crash.html
(right):

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Layo...
third_party/WebKit/LayoutTests/fast/table/large-col-span-crash.html:1: <!doctype
html>
On 2016/11/22 07:04:29, mstensho wrote:
> Could turn this into a testharness test, to get rid of the expectation file.

Done.

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Layo...
third_party/WebKit/LayoutTests/fast/table/large-col-span-crash.html:6: /* vv
just to get a green square vv */
On 2016/11/22 07:04:29, mstensho wrote:
> Not so interesting, since this isn't a visual test.
> 
> But you could turn it into a testharness test and check the width and height,
of
> course. :)

Done.

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/html/HTMLTableCellElement.cpp (right):

https://codereview.chromium.org/2518163002/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/html/HTMLTableCellElement.cpp:54: return max(1u,
min(value, static_cast<unsigned>(kMaxColSpan)));
On 2016/11/22 07:04:29, mstensho wrote:
> Could perhaps add static unsigned HTMLTableCellElement::maxColSpan() and
> maxRowSpan() getters (that just return kMaxFoo, or maybe just remove the new
> enum and return hard-coded values - not sure what's nicer), to get rid of this
> cast here?

Good idea, I went with returning hard-coded values.

[dgrogan, 2016-12-01 21:51:48]

The CQ bit was checked by dgrogan@chromium.org

[dgrogan, 2016-12-01 21:51:48]

The patchset sent to the CQ was uploaded after l-g-t-m from mstensho@opera.com
Link to the patchset: https://codereview.chromium.org/2518163002/#ps60001
(title: "respond to comments")

[commit-bot: I haz the power, 2016-12-01 21:52:10]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-12-01 23:38:46]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-12-01 23:38:47]

Try jobs failed on following builders:
  win_chromium_rel_ng on master.tryserver.chromium.win (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_rel_...)

[mstensho (USE GERRIT), 2016-12-06 19:53:52]

@dgrogan Looks like all you have to do is update a couple of tests?

[dgrogan, 2016-12-14 23:40:27]

Patchset #4 (id:80001) has been deleted

[dgrogan, 2016-12-15 21:01:45]

Patchset #4 (id:100001) has been deleted

[dgrogan, 2016-12-16 00:57:28]

Patchset #4 (id:120001) has been deleted

[dgrogan, 2016-12-16 01:03:23]

On 2016/12/06 19:53:52, mstensho wrote:
> @dgrogan Looks like all you have to do is update a couple of tests?

Yep, done.

I think I will have to do something like `git cl land --bypass-hooks` to commit
span-attribute-expected.txt.

[dgrogan, 2016-12-16 01:06:28]

The CQ bit was checked by dgrogan@chromium.org

[dgrogan, 2016-12-16 01:06:28]

The patchset sent to the CQ was uploaded after l-g-t-m from mstensho@opera.com
Link to the patchset: https://codereview.chromium.org/2518163002/#ps140001
(title: "update wpt -expected.txt and span-attribute.html but not
-expected.txt")

[commit-bot: I haz the power, 2016-12-16 01:07:46]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-12-16 06:08:50]

CQ is committing da patch.

Bot data: {"patchset_id": 140001, "attempt_start_ts": 1481850388155410,
"parent_rev": "2c2f88a656c8c006e2d3e51a039035327eb1922f", "commit_rev":
"09627d7088ca79f4c91ffc75db5cf8a71c25e04b"}

[commit-bot: I haz the power, 2016-12-16 06:10:24]

Description was changed from

==========
[css-tables] Fix divide-by-zero resulting from 32-bit overflow

When col/colgroup spans added up to exactly 2^32, the result would
overflow to 0, which was the divisor for a later operation.

This patch clamps col spans to 8190, matching cell colspans. This makes
the problem harder to trigger but doesn't eliminate it.

BUG=660581
==========

to

==========
[css-tables] Fix divide-by-zero resulting from 32-bit overflow

When col/colgroup spans added up to exactly 2^32, the result would
overflow to 0, which was the divisor for a later operation.

This patch clamps col spans to 8190, matching cell colspans. This makes
the problem harder to trigger but doesn't eliminate it.

BUG=660581

Review-Url: https://codereview.chromium.org/2518163002
==========

[commit-bot: I haz the power, 2016-12-16 06:10:25]

Committed patchset #4 (id:140001)

[commit-bot: I haz the power, 2016-12-16 06:14:37]

Description was changed from

==========
[css-tables] Fix divide-by-zero resulting from 32-bit overflow

When col/colgroup spans added up to exactly 2^32, the result would
overflow to 0, which was the divisor for a later operation.

This patch clamps col spans to 8190, matching cell colspans. This makes
the problem harder to trigger but doesn't eliminate it.

BUG=660581

Review-Url: https://codereview.chromium.org/2518163002
==========

to

==========
[css-tables] Fix divide-by-zero resulting from 32-bit overflow

When col/colgroup spans added up to exactly 2^32, the result would
overflow to 0, which was the divisor for a later operation.

This patch clamps col spans to 8190, matching cell colspans. This makes
the problem harder to trigger but doesn't eliminate it.

BUG=660581

Committed: https://crrev.com/e47aea373e0ec97912b63c51797650dc55311336
Cr-Commit-Position: refs/heads/master@{#439041}
==========

[commit-bot: I haz the power, 2016-12-16 06:14:38]

Patchset 4 (id:??) landed as
https://crrev.com/e47aea373e0ec97912b63c51797650dc55311336
Cr-Commit-Position: refs/heads/master@{#439041}