From 6862d33e7c5f24a8ee7b9eee1e72a410e376cf59 Mon Sep 17 00:00:00 2001
From: Gingeh <39150378+Gingeh@users.noreply.github.com>
Date: Sun, 10 Nov 2024 13:11:41 +1100
Subject: [PATCH] LibWeb: Don't crash from clipping grid spans

---
 .../LibWeb/Layout/GridFormattingContext.cpp   |  3 ---
 .../expected/grid/grid-row-overflow-crash.txt | 18 +++++++++++++++
 .../row-gaps-with-overflowing-spans-crash.txt | 22 +++++++++++++++++++
 .../input/grid/grid-row-overflow-crash.html   |  3 +++
 ...row-gaps-with-overflowing-spans-crash.html |  3 +++
 5 files changed, 46 insertions(+), 3 deletions(-)
 create mode 100644 Tests/LibWeb/Layout/expected/grid/grid-row-overflow-crash.txt
 create mode 100644 Tests/LibWeb/Layout/expected/grid/row-gaps-with-overflowing-spans-crash.txt
 create mode 100644 Tests/LibWeb/Layout/input/grid/grid-row-overflow-crash.html
 create mode 100644 Tests/LibWeb/Layout/input/grid/row-gaps-with-overflowing-spans-crash.html

diff --git a/Libraries/LibWeb/Layout/GridFormattingContext.cpp b/Libraries/LibWeb/Layout/GridFormattingContext.cpp
index 3ab6dfff83a..06795ae075c 100644
--- a/Libraries/LibWeb/Layout/GridFormattingContext.cpp
+++ b/Libraries/LibWeb/Layout/GridFormattingContext.cpp
@@ -1849,9 +1849,6 @@ CSSPixelRect GridFormattingContext::get_grid_area_rect(GridItem const& grid_item
 
         auto resolved_span = grid_item.span(dimension) * 2;
         auto gap_adjusted_position = grid_item.gap_adjusted_position(dimension);
-        if (gap_adjusted_position + resolved_span > tracks_and_gaps.size()) {
-            resolved_span = tracks_and_gaps.size() - gap_adjusted_position;
-        }
 
         int start = gap_adjusted_position;
         int end = start + resolved_span;
diff --git a/Tests/LibWeb/Layout/expected/grid/grid-row-overflow-crash.txt b/Tests/LibWeb/Layout/expected/grid/grid-row-overflow-crash.txt
new file mode 100644
index 00000000000..4515ae7b7d5
--- /dev/null
+++ b/Tests/LibWeb/Layout/expected/grid/grid-row-overflow-crash.txt
@@ -0,0 +1,18 @@
+Viewport <#document> at (0,0) content-size 800x600 children: not-inline
+  BlockContainer <html> at (0,0) content-size 800x600 [BFC] children: not-inline
+    BlockContainer <body> at (8,8) content-size 784x0 children: not-inline
+      Box <div> at (8,8) content-size 784x0 positioned [GFC] children: not-inline
+        BlockContainer <(anonymous)> (not painted) [BFC] children: inline
+          TextNode <#text>
+        BlockContainer <div> at (8,8) content-size 0x0 positioned [BFC] children: not-inline
+        BlockContainer <(anonymous)> (not painted) [BFC] children: inline
+          TextNode <#text>
+      BlockContainer <(anonymous)> at (8,8) content-size 784x0 children: inline
+        TextNode <#text>
+
+ViewportPaintable (Viewport<#document>) [0,0 800x600]
+  PaintableWithLines (BlockContainer<HTML>) [0,0 800x600]
+    PaintableWithLines (BlockContainer<BODY>) [8,8 784x0]
+      PaintableBox (Box<DIV>) [8,8 784x0]
+        PaintableWithLines (BlockContainer<DIV>) [8,8 0x0]
+      PaintableWithLines (BlockContainer(anonymous)) [8,8 784x0]
diff --git a/Tests/LibWeb/Layout/expected/grid/row-gaps-with-overflowing-spans-crash.txt b/Tests/LibWeb/Layout/expected/grid/row-gaps-with-overflowing-spans-crash.txt
new file mode 100644
index 00000000000..58ca07b7efc
--- /dev/null
+++ b/Tests/LibWeb/Layout/expected/grid/row-gaps-with-overflowing-spans-crash.txt
@@ -0,0 +1,22 @@
+Viewport <#document> at (0,0) content-size 800x600 children: not-inline
+  BlockContainer <html> at (0,0) content-size 800x600 [BFC] children: not-inline
+    BlockContainer <body> at (8,8) content-size 784x48 children: not-inline
+      Box <div> at (8,8) content-size 784x48 [GFC] children: not-inline
+        BlockContainer <(anonymous)> (not painted) [BFC] children: inline
+          TextNode <#text>
+        BlockContainer <div> at (8,24) content-size 784x32 [BFC] children: inline
+          frag 0 from TextNode start: 0, length: 1, rect: [8,24 6.34375x17] baseline: 13.296875
+              "1"
+          TextNode <#text>
+        BlockContainer <(anonymous)> (not painted) [BFC] children: inline
+          TextNode <#text>
+      BlockContainer <(anonymous)> at (8,56) content-size 784x0 children: inline
+        TextNode <#text>
+
+ViewportPaintable (Viewport<#document>) [0,0 800x600]
+  PaintableWithLines (BlockContainer<HTML>) [0,0 800x600]
+    PaintableWithLines (BlockContainer<BODY>) [8,8 784x48]
+      PaintableBox (Box<DIV>) [8,8 784x48]
+        PaintableWithLines (BlockContainer<DIV>) [8,24 784x32]
+          TextPaintable (TextNode<#text>)
+      PaintableWithLines (BlockContainer(anonymous)) [8,56 784x0]
diff --git a/Tests/LibWeb/Layout/input/grid/grid-row-overflow-crash.html b/Tests/LibWeb/Layout/input/grid/grid-row-overflow-crash.html
new file mode 100644
index 00000000000..88647498f63
--- /dev/null
+++ b/Tests/LibWeb/Layout/input/grid/grid-row-overflow-crash.html
@@ -0,0 +1,3 @@
+<div style="display: grid; position: relative">
+    <div style="position: absolute; grid-row: 3"></div>
+</div>
diff --git a/Tests/LibWeb/Layout/input/grid/row-gaps-with-overflowing-spans-crash.html b/Tests/LibWeb/Layout/input/grid/row-gaps-with-overflowing-spans-crash.html
new file mode 100644
index 00000000000..0fb121859d8
--- /dev/null
+++ b/Tests/LibWeb/Layout/input/grid/row-gaps-with-overflowing-spans-crash.html
@@ -0,0 +1,3 @@
+<div style="display: grid; grid-row-gap: 16px; grid-template-rows: 1fr 1fr">
+    <div style="grid-row: 2 / span 3">1</div>
+</div>