LibWeb: Reserve enough space for span>1 columns in BorderConflictFinder

This code previously only allocated enough space in m_col_elements_by_index for 1 slot per column, meaning that columns with a span > 1 would write off the end of it.
Author: https://github.com/AtkinsSJ Commit: https://github.com/LadybirdBrowser/ladybird/commit/9e32c9329ac Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/865 Reviewed-by: https://github.com/tcl3 ✅
2024-11-22 07:30:19 +00:00 · 2024-07-27 14:17:57 +01:00 · 2024-07-27 14:17:57 +01:00 · 9e32c9329a · 2024-07-27 19:24:08 +00:00
commit 9e32c9329a
parent 0cec68ea99
3 changed files with 22 additions and 0 deletions
--- a/Tests/LibWeb/Layout/expected/table/col-span-crash.txt
+++ b/Tests/LibWeb/Layout/expected/table/col-span-crash.txt
@ -0,0 +1,19 @@
+Viewport <#document> at (0,0) content-size 800x600 children: not-inline
+  BlockContainer <html> at (0,0) content-size 800x600 [BFC] children: not-inline
+    BlockContainer <body> at (8,8) content-size 784x19 children: not-inline
+      TableWrapper <(anonymous)> at (8,8) content-size 4x2 [BFC] children: not-inline
+        Box <table> at (8,8) content-size 4x2 table-box [TFC] children: not-inline
+          BlockContainer <colgroup> (not painted) table-column-group children: not-inline
+            BlockContainer <col> (not painted) children: not-inline
+      BlockContainer <(anonymous)> at (8,10) content-size 784x17 children: inline
+        frag 0 from TextNode start: 1, length: 19, rect: [8,10 162.109375x17] baseline: 13.296875
+            "PASS (didn't crash)"
+        TextNode <#text>
+
+ViewportPaintable (Viewport<#document>) [0,0 800x600]
+  PaintableWithLines (BlockContainer<HTML>) [0,0 800x600]
+    PaintableWithLines (BlockContainer<BODY>) [8,8 784x19]
+      PaintableWithLines (TableWrapper(anonymous)) [8,8 4x2]
+        PaintableBox (Box<TABLE>) [8,8 4x2]
+      PaintableWithLines (BlockContainer(anonymous)) [8,10 784x17]
+        TextPaintable (TextNode<#text>)
--- a/Tests/LibWeb/Layout/input/table/col-span-crash.html
+++ b/Tests/LibWeb/Layout/input/table/col-span-crash.html
@ -0,0 +1,2 @@
+<table><col span="9"></col></table>
+PASS (didn't crash)
--- a/Userland/Libraries/LibWeb/Layout/TableFormattingContext.cpp
+++ b/Userland/Libraries/LibWeb/Layout/TableFormattingContext.cpp
@ -1386,6 +1386,7 @@ void TableFormattingContext::BorderConflictFinder::collect_conflicting_col_eleme
            VERIFY(child_of_column_group->display().is_table_column());
            auto const& col_node = static_cast<HTML::HTMLTableColElement const&>(*child_of_column_group->dom_node());
            unsigned span = col_node.get_attribute_value(HTML::AttributeNames::span).to_number<unsigned>().value_or(1);
+            m_col_elements_by_index.resize(column_index + span);
            for (size_t i = column_index; i < column_index + span; ++i) {
                m_col_elements_by_index[i] = child_of_column_group;
            }