Context Navigation

← Previous Changeset
Next Changeset →

Changeset 69735 in webkit

Timestamp:

Oct 13, 2010 9:55:34 PM (14 years ago)

Author:

inferno@chromium.org

Message:

2010-10-12 Abhishek Arya <inferno@chromium.org>

Reviewed by Darin Adler.

Prevent block logical height of a root inline box from overflowing by clamping it
at INT_MAX. Otherwise, we will not be able to properly dirty the set of lines during
removal a floating object.
https://bugs.webkit.org/show_bug.cgi?id=45611

Test: fast/overflow/overflow-block-logical-height-crash.html

rendering/RootInlineBox.cpp: (WebCore::RootInlineBox::alignBoxesInBlockDirection):

2010-10-12 Abhishek Arya <inferno@chromium.org>

Reviewed by Darin Adler.

Tests that overflowing the block logical height of a root inline box does not result in crash.
https://bugs.webkit.org/show_bug.cgi?id=45611

fast/overflow/overflow-block-logical-height-crash-expected.txt: Added.
fast/overflow/overflow-block-logical-height-crash.html: Added.

Location:

trunk

Files:

: 2 added
: 3 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/fast/overflow/overflow-block-logical-height-crash-expected.txt (added)
LayoutTests/fast/overflow/overflow-block-logical-height-crash.html (added)
WebCore/ChangeLog (modified) (1 diff)
WebCore/rendering/RootInlineBox.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r69727
+                      r69735
+-10-12  Abhishek Arya  <inferno@chromium.org>
+        Reviewed by Darin Adler.
+        Tests that overflowing the block logical height of a root inline box does not result in crash.
+        https://bugs.webkit.org/show_bug.cgi?id=45611
+        * fast/overflow/overflow-block-logical-height-crash-expected.txt: Added.
+        * fast/overflow/overflow-block-logical-height-crash.html: Added.
 -09-23  James Robinson  <jamesr@chromium.org>

trunk/WebCore/ChangeLog

-                      r69727
+                      r69735
+-10-12  Abhishek Arya  <inferno@chromium.org>
+        Reviewed by Darin Adler.
+        Prevent block logical height of a root inline box from overflowing by clamping it
+        at INT_MAX. Otherwise, we will not be able to properly dirty the set of lines during
+        removal a floating object.
+        https://bugs.webkit.org/show_bug.cgi?id=45611
+        Test: fast/overflow/overflow-block-logical-height-crash.html
+        * rendering/RootInlineBox.cpp:
+        (WebCore::RootInlineBox::alignBoxesInBlockDirection):
 -10-13  James Robinson  <jamesr@chromium.org>

trunk/WebCore/rendering/RootInlineBox.cpp

-                      r69228
+                      r69735
     computeBlockDirectionOverflow(lineTop, lineBottom, noQuirksMode, textBoxDataMap);
     setLineTopBottomPositions(lineTop, lineBottom);
+    heightOfBlock += maxHeight;
+    // Detect integer overflow.
+    if (heightOfBlock > numeric_limits<int>::max() - maxHeight)
+        return numeric_limits<int>::max();
+    heightOfBlock = heightOfBlock + maxHeight;
     return heightOfBlock;

Note: See TracChangeset for help on using the changeset viewer.