From 45f01ba16c3f6b7733285192270679aea927a1c4 Mon Sep 17 00:00:00 2001
From: Ashley Hale <ahale@mozilla.com>
Date: Thu, 7 Aug 2025 21:48:07 +0000
Subject: [PATCH] Bug 1966754 - reduce SVGFE render task resolution for
 excessively large inputs r=gfx-reviewers,ErichDonGubler a=diannaS

Original Revision: https://phabricator.services.mozilla.com/D256388

Differential Revision: https://phabricator.services.mozilla.com/D260363
---
 gfx/wr/webrender/src/render_task.rs                    |  4 +++-
 .../tests/svg/crashtests/firefox-bug-1966754.html      | 10 ++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 testing/web-platform/tests/svg/crashtests/firefox-bug-1966754.html

diff --git a/gfx/wr/webrender/src/render_task.rs b/gfx/wr/webrender/src/render_task.rs
index afaf8407a313..11eb225c2fb3 100644
--- a/gfx/wr/webrender/src/render_task.rs
+++ b/gfx/wr/webrender/src/render_task.rs
@@ -1968,6 +1968,7 @@ impl RenderTask {
             //
             // Also look up the child tasks while we are here.
             let mut used_subregion = LayoutRect::zero();
+            let mut combined_input_subregion = LayoutRect::zero();
             let node_inputs: Vec<(FilterGraphPictureReference, RenderTaskId)> = node.inputs.iter().map(|input| {
                 let (subregion, task) =
                     match input.buffer_id {
@@ -2005,6 +2006,7 @@ impl RenderTask {
                         ),
                     );
                 used_subregion = used_subregion.union(&target_subregion);
+                combined_input_subregion = combined_input_subregion.union(&subregion);
                 (FilterGraphPictureReference{
                     buffer_id: input.buffer_id,
                     // Apply offset to the placement of the input subregion.
@@ -2218,7 +2220,7 @@ impl RenderTask {
                         std_deviation_y.ceil() * BLUR_SAMPLE_SCALE)
                 }
                 _ => used_subregion,
-            };
+            }.union(&combined_input_subregion);
             while
                 padded_subregion.scale(device_to_render_scale, device_to_render_scale).round().width() + node_inflate as f32 * 2.0 > MAX_SURFACE_SIZE as f32 ||
                 padded_subregion.scale(device_to_render_scale, device_to_render_scale).round().height() + node_inflate as f32 * 2.0 > MAX_SURFACE_SIZE as f32 {
diff --git a/testing/web-platform/tests/svg/crashtests/firefox-bug-1966754.html b/testing/web-platform/tests/svg/crashtests/firefox-bug-1966754.html
new file mode 100644
index 000000000000..4d2fd2b49fe1
--- /dev/null
+++ b/testing/web-platform/tests/svg/crashtests/firefox-bug-1966754.html
@@ -0,0 +1,10 @@
+<!doctype html>
+<body>
+  <svg>
+    <filter id="crash" x="0" y="0" width="400px" height="400px">
+      <feColorMatrix in="SourceGraphic" values="0 0 0 0 0  0 0 0 0 0  0 0 0 0 0  0 1 0 0 0"></feColorMatrix>
+      <feGaussianBlur stdDeviation="4"></feGaussianBlur>
+    </filter>
+    <rect width="100" height="100" filter="url(#crash)"/>
+  </svg>
+</body>
\ No newline at end of file