From 221e96f84e8f4c7ce83f5401eeaf04b1d464c54b Mon Sep 17 00:00:00 2001
From: Chris Lord <chrislord.net@gmail.com>
Date: Wed, 4 Jul 2012 15:56:49 +0100
Subject: [PATCH] Bug 758620 - Fix abort caused by unchecked clamping. r=ajuma

The initial values set for the offset for fixed position layers could clamp
with a max < min. This was due to a slightly incorrect min, but also because
it should have set these values in the else block of a later if that did a
range check on these values.
---
 gfx/layers/ipc/CompositorParent.cpp | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/gfx/layers/ipc/CompositorParent.cpp b/gfx/layers/ipc/CompositorParent.cpp
index 29965a99767c..9e1a2389e046 100644
--- a/gfx/layers/ipc/CompositorParent.cpp
+++ b/gfx/layers/ipc/CompositorParent.cpp
@@ -421,13 +421,8 @@ CompositorParent::TransformShadowTree()
 
   // Translate fixed position layers so that they stay in the correct position
   // when mScrollOffset and metricsScrollOffset differ.
-  gfxPoint scaleDiff(tempScaleDiffX, tempScaleDiffY);
-  gfxPoint offset(clamped(mScrollOffset.x / tempScaleDiffX, mContentRect.x / tempScaleDiffX,
-                          (mContentRect.XMost() - mWidgetSize.width / tempScaleDiffX)) -
-                  metricsScrollOffset.x,
-                  clamped(mScrollOffset.y / tempScaleDiffY, mContentRect.y / tempScaleDiffY,
-                          (mContentRect.YMost() - mWidgetSize.height / tempScaleDiffY)) -
-                  metricsScrollOffset.y);
+  gfxPoint offset;
+  gfxPoint scaleDiff;
 
   // If the contents can fit entirely within the widget area on a particular
   // dimenson, we need to translate and scale so that the fixed layers remain
@@ -435,11 +430,21 @@ CompositorParent::TransformShadowTree()
   if (mContentRect.width * tempScaleDiffX < mWidgetSize.width) {
     offset.x = -metricsScrollOffset.x;
     scaleDiff.x = NS_MIN(1.0f, mWidgetSize.width / (float)mContentRect.width);
+  } else {
+    offset.x = clamped(mScrollOffset.x / tempScaleDiffX, (float)mContentRect.x,
+                       mContentRect.XMost() - mWidgetSize.width / tempScaleDiffX) -
+               metricsScrollOffset.x;
+    scaleDiff.x = tempScaleDiffX;
   }
 
   if (mContentRect.height * tempScaleDiffY < mWidgetSize.height) {
     offset.y = -metricsScrollOffset.y;
     scaleDiff.y = NS_MIN(1.0f, mWidgetSize.height / (float)mContentRect.height);
+  } else {
+    offset.y = clamped(mScrollOffset.y / tempScaleDiffY, (float)mContentRect.y,
+                       mContentRect.YMost() - mWidgetSize.height / tempScaleDiffY) -
+               metricsScrollOffset.y;
+    scaleDiff.y = tempScaleDiffY;
   }
 
   TransformFixedLayers(layer, offset, scaleDiff);