[SCM] WebKit Debian packaging branch, webkit-1.2, updated. 1.2.5-1500-gb65db3c

Huzaifa Sidhpurwala huzaifas at redhat.com
Tue Jan 11 11:41:47 UTC 2011 

The following commit has been merged in the webkit-1.2 branch:
commit 5fd7531a3fd4ad078f97234e3c1988bbd57ca693
Author: Huzaifa Sidhpurwala <huzaifas at redhat.com>
Date:   Tue Nov 30 10:44:19 2010 +0530

    2010-11-30  Huzaifa Sidhpurwala <huzaifas at redhat.com>
    
            Backport crash fix for
            https://bugs.webkit.org/show_bug.cgi?id=45611
    
            Prevent block logical height of a root inline box from overflowing by clamping it
            at INT_MAX. Otherwise, we will not be able to properly dirty the set of lines during
            removal a floating object.
    
            Test: fast/overflow/overflow-block-logical-height-crash.html
    
            * rendering/RootInlineBox.cpp:
            (WebCore::RootInlineBox::alignBoxesInBlockDirection):
    2010-11-30 Huzaifa Sidhpurwala <huzaifas at redhat.com>
    
           Backport crash fix for
           https://bugs.webkit.org/show_bug.cgi?id=45611
    
           Tests that overflowing the block logical height of a root inline box does not result in crash.
    
           * fast/overflow/overflow-block-logical-height-crash-expected.txt: Added.
           * fast/overflow/overflow-block-logical-height-crash.html: Added.
    
    Original development branch commit: 7c17fcca4dd5110e8083f3c4fb1f73a37ff9ad1d

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 31000c3..311c973 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-11-30 Huzaifa Sidhpurwala <huzaifas at redhat.com>
+
+       Backport crash fix for 
+       https://bugs.webkit.org/show_bug.cgi?id=45611
+
+       Tests that overflowing the block logical height of a root inline box does not result in crash.
+
+       * fast/overflow/overflow-block-logical-height-crash-expected.txt: Added.
+       * fast/overflow/overflow-block-logical-height-crash.html: Added.
+
 2010-08-25  Cris Neckar  <cdn at chromium.org>
 
         Reviewed by Darin Adler.
diff --git a/LayoutTests/fast/overflow/overflow-block-logical-height-crash-expected.txt b/LayoutTests/fast/overflow/overflow-block-logical-height-crash-expected.txt
new file mode 100644
index 0000000..a700cb6
--- /dev/null
+++ b/LayoutTests/fast/overflow/overflow-block-logical-height-crash-expected.txt
@@ -0,0 +1,2 @@
+PASS
+ 
diff --git a/LayoutTests/fast/overflow/overflow-block-logical-height-crash.html b/LayoutTests/fast/overflow/overflow-block-logical-height-crash.html
new file mode 100644
index 0000000..6cb6a54
--- /dev/null
+++ b/LayoutTests/fast/overflow/overflow-block-logical-height-crash.html
@@ -0,0 +1,20 @@
+<html>
+    <head>
+        <script>
+            if (window.layoutTestController)
+                layoutTestController.dumpAsText();
+            
+            function finish()
+            {
+                document.getElementById("result").innerHTML = "PASS";
+            } 
+        </script>
+    </head>
+    <body onload="finish()">
+        <div id="result"></div>
+        <textarea style="width: 100%" rows="100000000"></textarea>
+        <object data="x" align="left"></object>
+        <textarea rows="100000000"></textarea>
+    </body>
+</html>
+
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index d187b0d..8f76090 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2010-11-30  Huzaifa Sidhpurwala <huzaifas at redhat.com>
+
+        Backport crash fix for
+        https://bugs.webkit.org/show_bug.cgi?id=45611
+
+        Prevent block logical height of a root inline box from overflowing by clamping it
+        at INT_MAX. Otherwise, we will not be able to properly dirty the set of lines during
+        removal a floating object.
+
+        Test: fast/overflow/overflow-block-logical-height-crash.html
+	
+        * rendering/RootInlineBox.cpp:
+        (WebCore::RootInlineBox::alignBoxesInBlockDirection):
+
 2010-08-25  Cris Neckar  <cdn at chromium.org>
 
         Reviewed by Darin Adler.
diff --git a/WebCore/rendering/RootInlineBox.cpp b/WebCore/rendering/RootInlineBox.cpp
index 23316f7..93d49fc 100644
--- a/WebCore/rendering/RootInlineBox.cpp
+++ b/WebCore/rendering/RootInlineBox.cpp
@@ -227,9 +227,13 @@ int RootInlineBox::verticallyAlignBoxes(int heightOfBlock)
     placeBoxesVertically(heightOfBlock, maxHeight, maxAscent, strictMode, lineTop, lineBottom);
     computeVerticalOverflow(lineTop, lineBottom, strictMode);
     setLineTopBottomPositions(lineTop, lineBottom);
-    
-    heightOfBlock += maxHeight;
-    
+
+    // Detect integer overflow.
+    if (heightOfBlock > numeric_limits<int>::max() - maxHeight)
+        return numeric_limits<int>::max();
+
+    heightOfBlock = heightOfBlock + maxHeight;
+ 
     return heightOfBlock;
 }
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list