From dcf38e463045331cdf97db8ec240a55b80c5fec9 Mon Sep 17 00:00:00 2001
From: Anthony Jones <ajones@mozilla.com>
Date: Mon, 22 Oct 2012 22:22:27 -0400
Subject: [PATCH] Bug 791428 - Limit pixel sizes so that they can't exceed app
 unit limits. r=roc

---
 gfx/src/nsCoord.h | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/gfx/src/nsCoord.h b/gfx/src/nsCoord.h
index 3eb1da0c1209..e14286cc60ab 100644
--- a/gfx/src/nsCoord.h
+++ b/gfx/src/nsCoord.h
@@ -444,6 +444,22 @@ inline nscoord NSIntPixelsToAppUnits(int32_t aPixels, int32_t aAppUnitsPerPixel)
 {
   // The cast to nscoord makes sure we don't overflow if we ever change
   // nscoord to float
+#ifndef NS_COORD_IS_FLOAT
+  const int pixels_MAX = nscoord_MAX / aAppUnitsPerPixel;
+  // Bounds-check before converting out of float, to avoid overflow
+  NS_WARN_IF_FALSE(aPixels <= pixels_MAX,
+                   "Overflowed nscoord_MAX in conversion to nscoord");
+  if (aPixels >= pixels_MAX) {
+    aPixels = pixels_MAX;
+  } else {
+    const int pixels_MIN = nscoord_MIN / aAppUnitsPerPixel;
+    NS_WARN_IF_FALSE(aPixels >= pixels_MIN,
+                     "Overflowed nscoord_MIN in conversion to nscoord");
+    if (aPixels <= pixels_MIN) {
+      aPixels = pixels_MIN;
+    }
+  }
+#endif
   nscoord r = aPixels * (nscoord)aAppUnitsPerPixel;
   VERIFY_COORD(r);
   return r;