WebCore::RenderTableCell::setCol should put a cap on the column value.
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 21 Mar 2016 23:29:58 +0000 (23:29 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 21 Mar 2016 23:29:58 +0000 (23:29 +0000)
https://bugs.webkit.org/show_bug.cgi?id=155642
<rdar://problem/15895201>

Reviewed by Simon Fraser.

This patch ensures that we don't crash when the column number is large enough.
see webkit.org/b/71135 for more information.

Source/WebCore:

Test: tables/colspan-with-large-value-crash.html

* rendering/RenderTableCell.h:
(WebCore::RenderTableCell::setCol):

LayoutTests:

* tables/colspan-with-large-value-crash-expected.txt: Added.
* tables/colspan-with-large-value-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@198506 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/tables/colspan-with-large-value-crash-expected.txt [new file with mode: 0644]
LayoutTests/tables/colspan-with-large-value-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderTableCell.h

index d78a436..5a0e412 100644 (file)
@@ -1,3 +1,17 @@
+2016-03-21  Zalan Bujtas  <zalan@apple.com>
+
+        WebCore::RenderTableCell::setCol should put a cap on the column value. 
+        https://bugs.webkit.org/show_bug.cgi?id=155642
+        <rdar://problem/15895201>
+
+        Reviewed by Simon Fraser.
+
+        This patch ensures that we don't crash when the column number is large enough.
+        see webkit.org/b/71135 for more information.
+
+        * tables/colspan-with-large-value-crash-expected.txt: Added.
+        * tables/colspan-with-large-value-crash.html: Added.
+
 2016-03-21  Brady Eidson  <beidson@apple.com>
 
         storage/indexeddb/deletedatabase-delayed-by-open-and-versionchange.html flaky on mac-wk2.
diff --git a/LayoutTests/tables/colspan-with-large-value-crash-expected.txt b/LayoutTests/tables/colspan-with-large-value-crash-expected.txt
new file mode 100644 (file)
index 0000000..73409ae
--- /dev/null
@@ -0,0 +1,2 @@
+PASS if no crash.
+
diff --git a/LayoutTests/tables/colspan-with-large-value-crash.html b/LayoutTests/tables/colspan-with-large-value-crash.html
new file mode 100644 (file)
index 0000000..93f312a
--- /dev/null
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that we do not crash when colspan value is large.</title>
+</head>
+<body>
+PASS if no crash.
+<table>
+    <td colspan="53927142"></td>
+    <th>
+        <td></td>
+    </th>
+</table>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+</script>
+</body>
+</html>
index b9a5d28..30a10ce 100644 (file)
@@ -1,3 +1,19 @@
+2016-03-21  Zalan Bujtas  <zalan@apple.com>
+
+        WebCore::RenderTableCell::setCol should put a cap on the column value. 
+        https://bugs.webkit.org/show_bug.cgi?id=155642
+        <rdar://problem/15895201>
+
+        Reviewed by Simon Fraser.
+
+        This patch ensures that we don't crash when the column number is large enough.
+        see webkit.org/b/71135 for more information.
+
+        Test: tables/colspan-with-large-value-crash.html
+
+        * rendering/RenderTableCell.h:
+        (WebCore::RenderTableCell::setCol):
+
 2016-03-21  Simon Fraser  <simon.fraser@apple.com>
 
         [iOS WK2] Use larger tiles when possible to reduce per-tile painting overhead
index 8b76e16..804f6f0 100644 (file)
@@ -237,7 +237,7 @@ inline unsigned RenderTableCell::rowSpan() const
 inline void RenderTableCell::setCol(unsigned column)
 {
     if (UNLIKELY(column > maxColumnIndex))
-        CRASH();
+        column = maxColumnIndex;
     m_column = column;
 }