From 0985c3a0474ed63ad2e1508c7211e3dc934140ca Mon Sep 17 00:00:00 2001 From: "roc+@cs.cmu.edu" Date: Tue, 11 Dec 2007 17:21:34 -0800 Subject: [PATCH] Bug 363729. Don't allow fixed-pos tables to have abs-pos children. r=dholbert,sr=dbaron --- layout/base/nsCSSFrameConstructor.cpp | 6 +++++- layout/generic/nsBlockReflowState.cpp | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/layout/base/nsCSSFrameConstructor.cpp b/layout/base/nsCSSFrameConstructor.cpp index 21cac7bb28e..4423a19cc8b 100644 --- a/layout/base/nsCSSFrameConstructor.cpp +++ b/layout/base/nsCSSFrameConstructor.cpp @@ -10802,8 +10802,12 @@ nsCSSFrameConstructor::ReplicateFixedFrames(nsPageContentFrame* aParentFrame) } //XXXbz Should mInitialContainingBlock be docRootFrame? It probably doesn't matter. + // Don't allow abs-pos descendants of the fixed content to escape the content. + // This should not normally be possible (because fixed-pos elements should + // be absolute containers) but fixed-pos tables currently aren't abs-pos + // containers. nsFrameConstructorState state(mPresShell, aParentFrame, - mInitialContainingBlock, + nsnull, mInitialContainingBlock); // Iterate across fixed frames and replicate each whose placeholder is a diff --git a/layout/generic/nsBlockReflowState.cpp b/layout/generic/nsBlockReflowState.cpp index e97452a47a4..8f30364e691 100644 --- a/layout/generic/nsBlockReflowState.cpp +++ b/layout/generic/nsBlockReflowState.cpp @@ -203,7 +203,10 @@ nsBlockReflowState::ComputeBlockAvailSpace(nsIFrame* aFrame, aResult.y = mY; aResult.height = GetFlag(BRS_UNCONSTRAINEDHEIGHT) ? NS_UNCONSTRAINEDSIZE - : mBottomEdge - mY; + : PR_MAX(0, mBottomEdge - mY); + // mY might be greater than mBottomEdge if the block's top margin pushes + // it off the page/column. Negative available height can confuse other code + // and is nonsense in principle. const nsMargin& borderPadding = BorderPadding();