From 4fa36f25e3f271efbc5e084dae607128d9524ce7 Mon Sep 17 00:00:00 2001 From: "asqueella@gmail.com" Date: Wed, 25 Apr 2007 14:02:50 -0700 Subject: [PATCH] Bug 366643 - Crash after loading page with html entities and tagp=Philip Taylor r=pavlov --- gfx/thebes/src/gfxWindowsFonts.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/gfx/thebes/src/gfxWindowsFonts.cpp b/gfx/thebes/src/gfxWindowsFonts.cpp index f76d36a9d1d..b24acef3fe9 100644 --- a/gfx/thebes/src/gfxWindowsFonts.cpp +++ b/gfx/thebes/src/gfxWindowsFonts.cpp @@ -1479,11 +1479,13 @@ public: int maxItems = 5; Init(); - mItems = (SCRIPT_ITEM *)malloc(maxItems * sizeof(SCRIPT_ITEM)); + // Allocate space for one more item than expected, to handle a rare + // overflow in ScriptItemize (pre XP SP2). See bug 366643. + mItems = (SCRIPT_ITEM *)malloc((maxItems + 1) * sizeof(SCRIPT_ITEM)); while ((rv = ScriptItemize(mString, mLength, maxItems, &mControl, &mState, mItems, &mNumItems)) == E_OUTOFMEMORY) { maxItems *= 2; - mItems = (SCRIPT_ITEM *)realloc(mItems, maxItems * sizeof(SCRIPT_ITEM)); + mItems = (SCRIPT_ITEM *)realloc(mItems, (maxItems + 1) * sizeof(SCRIPT_ITEM)); Init(); }