From 604f6040a180ac409cf338045c8709a171d920d5 Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Sun, 21 Jul 2024 17:18:47 +0100
Subject: [PATCH] LibWeb: Clamp paintable box maximum scroll offset to 0

Previously calling `PaintableBox::set_scroll_offset()` with a
PaintableBox whose content size was larger than its scrollble overflow
rect would cause a crash.

Found by Domato.
---
 ...ent-scrollby-negative-scroll-offset-crash.txt |  1 +
 ...nt-scrollby-negative-scroll-offset-crash.html | 16 ++++++++++++++++
 .../Libraries/LibWeb/Painting/PaintableBox.cpp   |  5 +++--
 3 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 Tests/LibWeb/Text/expected/Element-scrollby-negative-scroll-offset-crash.txt
 create mode 100644 Tests/LibWeb/Text/input/Element-scrollby-negative-scroll-offset-crash.html

diff --git a/Tests/LibWeb/Text/expected/Element-scrollby-negative-scroll-offset-crash.txt b/Tests/LibWeb/Text/expected/Element-scrollby-negative-scroll-offset-crash.txt
new file mode 100644
index 00000000000..3a2d263b041
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/Element-scrollby-negative-scroll-offset-crash.txt
@@ -0,0 +1 @@
+  PASS (didn't crash)
diff --git a/Tests/LibWeb/Text/input/Element-scrollby-negative-scroll-offset-crash.html b/Tests/LibWeb/Text/input/Element-scrollby-negative-scroll-offset-crash.html
new file mode 100644
index 00000000000..430ad1ce5b5
--- /dev/null
+++ b/Tests/LibWeb/Text/input/Element-scrollby-negative-scroll-offset-crash.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<style>
+    #test {
+        height: 0;
+    }
+</style>
+<script src="include.js"></script>
+<div id="test">test</div>
+<script>
+    test(() => {
+        const divElement = document.getElementById("test");
+        divElement.scrollBy(1, 1);
+        divElement.remove();
+        println("PASS (didn't crash)");
+    });
+</script>
diff --git a/Userland/Libraries/LibWeb/Painting/PaintableBox.cpp b/Userland/Libraries/LibWeb/Painting/PaintableBox.cpp
index 50180e06c80..e17231a6861 100644
--- a/Userland/Libraries/LibWeb/Painting/PaintableBox.cpp
+++ b/Userland/Libraries/LibWeb/Painting/PaintableBox.cpp
@@ -82,8 +82,9 @@ void PaintableBox::set_scroll_offset(CSSPixelPoint offset)
     document().set_needs_to_refresh_clip_state(true);
     document().set_needs_to_refresh_scroll_state(true);
 
-    auto max_x_offset = scrollable_overflow_rect->width() - content_size().width();
-    auto max_y_offset = scrollable_overflow_rect->height() - content_size().height();
+    auto max_x_offset = max(scrollable_overflow_rect->width() - content_size().width(), 0);
+    auto max_y_offset = max(scrollable_overflow_rect->height() - content_size().height(), 0);
+
     offset.set_x(clamp(offset.x(), 0, max_x_offset));
     offset.set_y(clamp(offset.y(), 0, max_y_offset));