Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c35083f68066b400bfa6a4b54e61054bd0f8c2f6
https://github.com/WebKit/WebKit/commit/c35083f68066b400bfa6a4b54e61054bd0f8c2f6
Author: Chris Dumez <[email protected]>
Date: 2026-04-23 (Thu, 23 Apr 2026)
Changed paths:
M Source/WebCore/dom/Element.cpp
Log Message:
-----------
Element::setScrollLeft/setScrollTop: use clampToInteger() to avoid undefined
behavior
https://bugs.webkit.org/show_bug.cgi?id=313120
Reviewed by Anne van Kesteren.
The scrolling-element code path used `static_cast<int>()` on the result of
multiplying the scroll offset by pageZoomFactor and frameScaleFactor. When
the float result exceeds INT_MAX (e.g. large scroll value with browser
zoom), this is undefined behavior. Use `clampToInteger()` instead, matching
the non-scrolling-element code path in the same functions.
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::setScrollLeft):
(WebCore::Element::setScrollTop):
Canonical link: https://commits.webkit.org/311904@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
