fix(player): reject non-finite composition dimensions from attributes and stage-size#1205
Open
calcarazgre646 wants to merge 1 commit into
Open
Conversation
… and stage-size width/height attributes went through parseInt with no validation, so a typo like width="abc" reached scaleIframeToFit as NaN (invalid scale(NaN) transform) and width="0" as a division by zero — both blank the player with no signal. The stage-size message check had the sibling gap: `> 0` alone lets Infinity through, which scales the iframe to 0. Reuse the composition probe's readPositiveDimension guard for the attribute path (the probe path already rejected these) and add the same finite-check the adjacent timeline branch uses for stage-size. Mirrors the clampPlaybackRate hardening from heygen-com#1120.
miguel-heygen
approved these changes
Jun 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Two of the three paths that set the player's composition dimensions skip validation, and both feed
scaleIframeToFit()'sw / compositionWidthdivision (iframe-dom.ts:70):width/heightattributes (hyperframes-player.ts:174-179): rawparseInt(val || "1920", 10). A typo in the embed likewidth="abc"produces NaN, which lands in the iframe as an invalidscale(NaN)transform pluswidth: NaNpx;width="0"produces a division by zero (scale(Infinity)); negative values flip the iframe. In every case the player renders blank with no signal about why.stage-sizeruntime message (runtime-message-handler.ts:88-93): the> 0check alone letsInfinitythrough (Infinity > 0is true), which scales the iframe to 0 and blanks it.The third path already validates: the composition probe rejects non-finite and non-positive dimensions via
readPositiveDimension()before they reach the same sink. And the inconsistency is local in both cases — thetimelinebranch directly above the stage-size check does finite-check its input, andplayback-ratein the same attribute switch goes throughclampPlaybackRate(#1120).Change
readPositiveDimensionfromcomposition-probe.tsand use it for thewidth/heightattributes, falling back to the 1920/1080 defaults theval || ...pattern already implied.Number.isFiniteguard the adjacenttimelinebranch uses to thestage-sizecheck.No behavior change for valid inputs: finite positive dimensions parse exactly as before.
Tests
stage-sizepath (newruntime-message-handler.test.ts): finite positive sizes apply; Infinity/NaN/zero/negative/string sizes are ignored (the Infinity cases fail against the previous code); messages from a different source window are ignored.bun run buildgreen.