From c4f2628210b7ec3a119d342399d41d5d01572b21 Mon Sep 17 00:00:00 2001 From: Bernd Date: Wed, 16 Jul 2008 17:02:18 +0200 Subject: [PATCH] limit mathml row- and colspans as we do for html bug 443089 r/sr=bzbarsky --- content/html/content/src/Makefile.in | 1 + content/html/content/src/nsHTMLTableCellElement.cpp | 4 +--- layout/mathml/base/src/nsMathMLmtableFrame.cpp | 4 +++- layout/tables/celldata.h | 4 ++++ xpcom/glue/nsTArray.cpp | 2 +- 5 files changed, 10 insertions(+), 5 deletions(-) diff --git a/content/html/content/src/Makefile.in b/content/html/content/src/Makefile.in index 74e3978e223..83d573c7ebd 100644 --- a/content/html/content/src/Makefile.in +++ b/content/html/content/src/Makefile.in @@ -153,6 +153,7 @@ INCLUDES += \ -I$(srcdir)/../../../events/src \ -I$(srcdir)/../../../xbl/src \ -I$(srcdir)/../../../../layout/style \ + -I$(srcdir)/../../../../layout/tables \ -I$(srcdir) \ $(NULL) diff --git a/content/html/content/src/nsHTMLTableCellElement.cpp b/content/html/content/src/nsHTMLTableCellElement.cpp index 4ae8ae09f3f..d6570552f5a 100644 --- a/content/html/content/src/nsHTMLTableCellElement.cpp +++ b/content/html/content/src/nsHTMLTableCellElement.cpp @@ -45,6 +45,7 @@ #include "nsPresContext.h" #include "nsRuleData.h" #include "nsIDocument.h" +#include "celldata.h" class nsHTMLTableCellElement : public nsGenericHTMLElement, public nsIDOMHTMLTableCellElement @@ -261,9 +262,6 @@ static const nsAttrValue::EnumTable kCellScopeTable[] = { { 0 } }; -#define MAX_ROWSPAN 8190 // celldata.h can not handle more -#define MAX_COLSPAN 1000 // limit as IE and opera do - PRBool nsHTMLTableCellElement::ParseAttribute(PRInt32 aNamespaceID, nsIAtom* aAttribute, diff --git a/layout/mathml/base/src/nsMathMLmtableFrame.cpp b/layout/mathml/base/src/nsMathMLmtableFrame.cpp index 76810e3bfb4..76084b20362 100644 --- a/layout/mathml/base/src/nsMathMLmtableFrame.cpp +++ b/layout/mathml/base/src/nsMathMLmtableFrame.cpp @@ -51,6 +51,7 @@ #include "nsTableOuterFrame.h" #include "nsTableFrame.h" #include "nsTableCellFrame.h" +#include "celldata.h" #include "nsMathMLmtableFrame.h" @@ -775,6 +776,7 @@ nsMathMLmtdFrame::GetRowSpan() rowspan = value.ToInteger(&error); if (error || rowspan < 0) rowspan = 1; + rowspan = PR_MIN(rowspan, MAX_ROWSPAN); } } return rowspan; @@ -792,7 +794,7 @@ nsMathMLmtdFrame::GetColSpan() if (!value.IsEmpty()) { PRInt32 error; colspan = value.ToInteger(&error); - if (error || colspan < 0) + if (error || colspan < 0 || colspan > MAX_COLSPAN) colspan = 1; } } diff --git a/layout/tables/celldata.h b/layout/tables/celldata.h index 08c3b9da751..44965e32c70 100644 --- a/layout/tables/celldata.h +++ b/layout/tables/celldata.h @@ -44,6 +44,10 @@ class nsTableCellFrame; class nsCellMap; class BCCellData; + +#define MAX_ROWSPAN 8190 // the cellmap can not handle more +#define MAX_COLSPAN 1000 // limit as IE and opera do + /** * Data stored by nsCellMap to rationalize rowspan and colspan cells. */ diff --git a/xpcom/glue/nsTArray.cpp b/xpcom/glue/nsTArray.cpp index 5932dffac0f..b5945266f00 100644 --- a/xpcom/glue/nsTArray.cpp +++ b/xpcom/glue/nsTArray.cpp @@ -65,7 +65,7 @@ nsTArray_base::EnsureCapacity(size_type capacity, size_type elemSize) { // doubling algorithm may not be able to allocate it. Additionally we // couldn't fit in the Header::mCapacity member. Just bail out in cases // like that. We don't want to be allocating 2 GB+ arrays anyway. - if (capacity * elemSize > size_type(-1)/2) { + if ((PRUint64)capacity * elemSize > size_type(-1)/2) { NS_ERROR("Attempting to allocate excessively large array"); return PR_FALSE; }