Changeset 30716 in webkit


Ignore:
Timestamp:
Mar 3, 2008 11:51:59 AM (16 years ago)
Author:
hyatt@apple.com
Message:

Fix for <rdar://problem/5776161> REGRESSION: Google Docs Spreadsheet crash

This is also http://bugs.webkit.org/show_bug.cgi?id=17543, fixed table layout corrupts heap.

Make sure not to access position -1 of the size 0 vectors.

Reviewed by ggaren

  • rendering/FixedTableLayout.cpp: (WebCore::FixedTableLayout::layout):
Location:
trunk/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/WebCore/ChangeLog

    r30715 r30716  
     12008-03-03  David Hyatt  <hyatt@apple.com>
     2
     3        Fix for <rdar://problem/5776161> REGRESSION: Google Docs Spreadsheet crash
     4
     5        This is also http://bugs.webkit.org/show_bug.cgi?id=17543, fixed table layout corrupts heap.
     6
     7        Make sure not to access position -1 of the size 0 vectors.
     8
     9        Reviewed by ggaren
     10
     11        * rendering/FixedTableLayout.cpp:
     12        (WebCore::FixedTableLayout::layout):
     13
    1142008-03-03  David D. Kilzer  <ddkilzer@webkit.org>
    215
  • trunk/WebCore/rendering/FixedTableLayout.cpp

    r25754 r30716  
    286286            calcWidth[--total] += w;
    287287        }
    288         calcWidth[nEffCols - 1] += remainingWidth;
     288        if (nEffCols > 0)
     289            calcWidth[nEffCols - 1] += remainingWidth;
    289290    }
    290291   
     
    295296        pos += calcWidth[i] + hspacing;
    296297    }
    297     m_table->columnPositions()[m_table->columnPositions().size() - 1] = pos;
     298    int colPositionsSize = m_table->columnPositions().size();
     299    if (colPositionsSize > 0)
     300        m_table->columnPositions()[colPositionsSize - 1] = pos;
    298301}
    299302
Note: See TracChangeset for help on using the changeset viewer.