Context Navigation

Changeset 10959 in webkit

Timestamp:

Oct 25, 2005, 3:26:30 PM (20 years ago)

Author:

bdakin

Message:

* empty log message *

Location:

trunk

Files:

-              r10956
+              r10959
+-10-25  Beth Dakin  <bdakin@apple.com>
+        Layout test for <rdar://problem/4148730> SureSec si#182 safari heap overflow
+        The fix is in WebCore.
+        * fast/table/giantRowspan-expected.checksum: Added.
+        * fast/table/giantRowspan-expected.png: Added.
+        * fast/table/giantRowspan-expected.txt: Added.
+        * fast/table/giantRowspan.html: Added.
 -10-25  Vicki Murley  <vicki@apple.com>

-              r10957
+              r10959
+-10-25  Beth Dakin  <bdakin@apple.com>
+        Reviewed by Maciej
+        Fix for <rdar://problem/4148730> SureSec si#182 safari heap overflow.
+        When a table has a really huge rowSpan, Safari used to crash because
+        the malloc of the grid for the table failed. This fix just checks for
+        the success of the malloc.
+        * khtml/rendering/render_table.cpp:
+        (RenderTableSection::ensureRows): Return false if the grid resize is not
+        successful.
+        (RenderTableSection::addCell): Return early if ensureRows() returned false.
+        * khtml/rendering/render_table.h: Make ensureRows() return a bool instead
+        of void.
 -10-25  Adele Peterson  <adele@apple.com>

-              r10755
+              r10959
+}
 void RenderTableSection::ensureRows(int numRows)
+bool RenderTableSection::ensureRows(int numRows)
+{
     int nRows = gridRows;
     if (numRows > nRows) {
         if (numRows > static_cast<int>(grid.size()))
+            grid.resize(numRows*2+1);
+            if (!grid.resize(numRows*2+1))
+                return false;
         gridRows = numRows;
 …
+    }
+    return true;
+}
 …
     // make sure we have enough rows
+    ensureRows( cRow + rSpan );
+    if (!ensureRows( cRow + rSpan ))
+        return;
     int col = cCol;

Note: See TracChangeset for help on using the changeset viewer.