From 2c1d42f7e5058b167f557d61b110280c14eb1dfa Mon Sep 17 00:00:00 2001
From: Jinho Bang <jinho.bang@samsung.com>
Date: Thu, 22 Feb 2018 18:17:16 +0000
Subject: [PATCH] Canvas2d: Fix clusterfuzz crash

It's caused due to divide by zero during calculating region's position.

Bug: 795604
Change-Id: Ibb1f43c6dea64549b9ca8e568d6dace4420fdf91
Reviewed-on: https://chromium-review.googlesource.com/893238
Reviewed-by: Justin Novosad <junov@chromium.org>
Commit-Queue: Jinho Bang <jinho.bang@samsung.com>
Cr-Commit-Position: refs/heads/master@{#538487}
---
 .../canvas-hit-regions-css-transform-test.html      | 13 +++++++++++--
 .../canvas/canvas2d/CanvasRenderingContext2D.cpp    |  9 +++++++--
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/third_party/WebKit/LayoutTests/fast/canvas-api/canvas-hit-regions-css-transform-test.html b/third_party/WebKit/LayoutTests/fast/canvas-api/canvas-hit-regions-css-transform-test.html
index 101802f2c05bfa..db6d78e360903c 100644
--- a/third_party/WebKit/LayoutTests/fast/canvas-api/canvas-hit-regions-css-transform-test.html
+++ b/third_party/WebKit/LayoutTests/fast/canvas-api/canvas-hit-regions-css-transform-test.html
@@ -24,7 +24,7 @@
   var paddingLeft = parseInt(canvas.style.paddingLeft) || 0;
   var borderLeft = parseInt(canvas.style.borderLeft) || 0;
   var cssWidth = parseInt(canvas.style.width) || canvas.width;
-  var scale = cssWidth / canvas.width;
+  var scale = canvas.width == 0 ? 1 : cssWidth / canvas.width;
   var tx = x;
   if (degree) {
     var cos = Math.cos(degree * Math.PI / 180);
@@ -41,7 +41,7 @@
   var paddingTop = parseInt(canvas.style.paddingTop) || 0;
   var borderTop = parseInt(canvas.style.borderTop) || 0;
   var cssHeight = parseInt(canvas.style.height) || canvas.height;
-  var scale = cssHeight / canvas.height;
+  var scale = canvas.height == 0 ? 1 : cssHeight / canvas.height;
   var ty = y;
   if (degree) {
     var cos = Math.cos(degree * Math.PI / 180);
@@ -131,6 +131,15 @@
   canvas.style.transform = 'rotate(72deg)';
   yield hit_region_with_css_test(test_set_with_rotate);
 
+  canvas.width = '0';
+  canvas.height = '0';
+  canvas.style.width = "0px";
+  canvas.style.height = "0px";
+  var test_divide_zero = [
+      { id : null, x : 20, y : 10, name: 'null' }
+  ];
+  yield hit_region_with_css_test(test_divide_zero);
+
   done();
 });
 
diff --git a/third_party/WebKit/Source/modules/canvas/canvas2d/CanvasRenderingContext2D.cpp b/third_party/WebKit/Source/modules/canvas/canvas2d/CanvasRenderingContext2D.cpp
index 1e89cabcad24bc..1f8a3c6c8acde3 100644
--- a/third_party/WebKit/Source/modules/canvas/canvas2d/CanvasRenderingContext2D.cpp
+++ b/third_party/WebKit/Source/modules/canvas/canvas2d/CanvasRenderingContext2D.cpp
@@ -654,8 +654,13 @@ HitTestCanvasResult* CanvasRenderingContext2D::GetControlAndIdIfHitRegionExists(
       box->AbsoluteToLocal(FloatPoint(location), kUseTransforms);
   if (box->HasBorderOrPadding())
     local_pos.Move(-box->ContentBoxOffset());
-  local_pos.Scale(canvas()->width() / box->ContentWidth(),
-                  canvas()->height() / box->ContentHeight());
+  float scaleWidth = box->ContentWidth().ToFloat() == 0.0f
+                         ? 1.0f
+                         : canvas()->width() / box->ContentWidth();
+  float scaleHeight = box->ContentHeight().ToFloat() == 0.0f
+                          ? 1.0f
+                          : canvas()->height() / box->ContentHeight();
+  local_pos.Scale(scaleWidth, scaleHeight);
 
   HitRegion* hit_region = HitRegionAtPoint(local_pos);
   if (hit_region) {