[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

inferno at chromium.org inferno at chromium.org
Wed Dec 22 14:36:45 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 7c17fcca4dd5110e8083f3c4fb1f73a37ff9ad1d
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Oct 14 04:55:34 2010 +0000

    2010-10-12  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Darin Adler.
    
            Prevent block logical height of a root inline box from overflowing by clamping it
            at INT_MAX. Otherwise, we will not be able to properly dirty the set of lines during
            removal a floating object.
            https://bugs.webkit.org/show_bug.cgi?id=45611
    
            Test: fast/overflow/overflow-block-logical-height-crash.html
    
            * rendering/RootInlineBox.cpp:
            (WebCore::RootInlineBox::alignBoxesInBlockDirection):
    2010-10-12  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Darin Adler.
    
            Tests that overflowing the block logical height of a root inline box does not result in crash.
            https://bugs.webkit.org/show_bug.cgi?id=45611
    
            * fast/overflow/overflow-block-logical-height-crash-expected.txt: Added.
            * fast/overflow/overflow-block-logical-height-crash.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@69735 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 96c6c0b..29d1593 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-10-12  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Tests that overflowing the block logical height of a root inline box does not result in crash.
+        https://bugs.webkit.org/show_bug.cgi?id=45611
+
+        * fast/overflow/overflow-block-logical-height-crash-expected.txt: Added.
+        * fast/overflow/overflow-block-logical-height-crash.html: Added.
+
 2010-09-23  James Robinson  <jamesr at chromium.org>
 
         Reviewed by Darin Adler.
diff --git a/LayoutTests/fast/overflow/overflow-block-logical-height-crash-expected.txt b/LayoutTests/fast/overflow/overflow-block-logical-height-crash-expected.txt
new file mode 100644
index 0000000..a700cb6
--- /dev/null
+++ b/LayoutTests/fast/overflow/overflow-block-logical-height-crash-expected.txt
@@ -0,0 +1,2 @@
+PASS
+ 
diff --git a/LayoutTests/fast/overflow/overflow-block-logical-height-crash.html b/LayoutTests/fast/overflow/overflow-block-logical-height-crash.html
new file mode 100644
index 0000000..6cb6a54
--- /dev/null
+++ b/LayoutTests/fast/overflow/overflow-block-logical-height-crash.html
@@ -0,0 +1,20 @@
+<html>
+    <head>
+        <script>
+            if (window.layoutTestController)
+                layoutTestController.dumpAsText();
+            
+            function finish()
+            {
+                document.getElementById("result").innerHTML = "PASS";
+            } 
+        </script>
+    </head>
+    <body onload="finish()">
+        <div id="result"></div>
+        <textarea style="width: 100%" rows="100000000"></textarea>
+        <object data="x" align="left"></object>
+        <textarea rows="100000000"></textarea>
+    </body>
+</html>
+
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 7ecc006..78bcc35 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2010-10-12  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Prevent block logical height of a root inline box from overflowing by clamping it
+        at INT_MAX. Otherwise, we will not be able to properly dirty the set of lines during
+        removal a floating object.
+        https://bugs.webkit.org/show_bug.cgi?id=45611        
+
+        Test: fast/overflow/overflow-block-logical-height-crash.html
+
+        * rendering/RootInlineBox.cpp:
+        (WebCore::RootInlineBox::alignBoxesInBlockDirection):
+
 2010-10-13  James Robinson  <jamesr at chromium.org>
 
         Reviewed by Darin Adler.
diff --git a/WebCore/rendering/RootInlineBox.cpp b/WebCore/rendering/RootInlineBox.cpp
index 38aba23..9719e70 100644
--- a/WebCore/rendering/RootInlineBox.cpp
+++ b/WebCore/rendering/RootInlineBox.cpp
@@ -241,8 +241,12 @@ int RootInlineBox::alignBoxesInBlockDirection(int heightOfBlock, GlyphOverflowAn
     placeBoxesInBlockDirection(heightOfBlock, maxHeight, maxAscent, noQuirksMode, lineTop, lineBottom);
     computeBlockDirectionOverflow(lineTop, lineBottom, noQuirksMode, textBoxDataMap);
     setLineTopBottomPositions(lineTop, lineBottom);
-    
-    heightOfBlock += maxHeight;
+
+    // Detect integer overflow.
+    if (heightOfBlock > numeric_limits<int>::max() - maxHeight)
+        return numeric_limits<int>::max();
+
+    heightOfBlock = heightOfBlock + maxHeight;
     
     return heightOfBlock;
 }

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list