Clamp span value in RenderTableCell::parse[Col|Row]SpanFromDOM
authoreae@chromium.org <eae@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Feb 2013 21:35:57 +0000 (21:35 +0000)
committereae@chromium.org <eae@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Feb 2013 21:35:57 +0000 (21:35 +0000)
https://bugs.webkit.org/show_bug.cgi?id=109878

Source/WebCore:

Reviewed by Abhishek Arya.

Test: fast/table/colspan-huge-number.html

Clamp colspan and rowspan values to their respective maximum
supported values.

* rendering/RenderTableCell.cpp:
(WebCore::RenderTableCell::parseColSpanFromDOM):
(WebCore::RenderTableCell::parseRowSpanFromDOM):

LayoutTests:

Reviewed by Abhishek Arya.

Add test for handling of very large colspan value.

* fast/table/colspan-huge-number-expected.txt: Added.
* fast/table/colspan-huge-number.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@143045 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/table/colspan-huge-number-expected.txt [new file with mode: 0644]
LayoutTests/fast/table/colspan-huge-number.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderTableCell.cpp

index 808b5d7..d09938e 100644 (file)
@@ -1,3 +1,15 @@
+2013-02-14  Emil A Eklund  <eae@chromium.org>
+
+        Clamp span value in RenderTableCell::parse[Col|Row]SpanFromDOM
+        https://bugs.webkit.org/show_bug.cgi?id=109878
+
+        Reviewed by Abhishek Arya.
+        
+        Add test for handling of very large colspan value.
+
+        * fast/table/colspan-huge-number-expected.txt: Added.
+        * fast/table/colspan-huge-number.html: Added.
+
 2013-02-15  Xueqing Huang  <huangxueqing@baidu.com>
 
         Flexbox should ignore firstLine pseudo element.
diff --git a/LayoutTests/fast/table/colspan-huge-number-expected.txt b/LayoutTests/fast/table/colspan-huge-number-expected.txt
new file mode 100644 (file)
index 0000000..191fe6f
--- /dev/null
@@ -0,0 +1 @@
+PASS: WebKit didn't crash      
diff --git a/LayoutTests/fast/table/colspan-huge-number.html b/LayoutTests/fast/table/colspan-huge-number.html
new file mode 100644 (file)
index 0000000..4fdd49d
--- /dev/null
@@ -0,0 +1,15 @@
+<!DOCTYLE html>
+<html>
+    <body>
+        <script>
+            if (window.testRunner)
+                testRunner.dumpAsText();
+        </script>
+        <table>
+            <tr>
+                <td colspan="2147483647">PASS: WebKit didn't crash</TD>
+                <td></td>
+            </tr>
+        </table>
+    </body>
+</html>
index f129a1b..790de20 100644 (file)
@@ -1,3 +1,19 @@
+2013-02-14  Emil A Eklund  <eae@chromium.org>
+
+        Clamp span value in RenderTableCell::parse[Col|Row]SpanFromDOM
+        https://bugs.webkit.org/show_bug.cgi?id=109878
+
+        Reviewed by Abhishek Arya.
+
+        Test: fast/table/colspan-huge-number.html
+        
+        Clamp colspan and rowspan values to their respective maximum
+        supported values.
+
+        * rendering/RenderTableCell.cpp:
+        (WebCore::RenderTableCell::parseColSpanFromDOM):
+        (WebCore::RenderTableCell::parseRowSpanFromDOM):
+
 2013-02-15  Andreas Kling  <akling@apple.com>
 
         ShareableElementData should use zero-length array for storage.
index 5b29610..8faaa59 100644 (file)
@@ -79,10 +79,10 @@ unsigned RenderTableCell::parseColSpanFromDOM() const
 {
     ASSERT(node());
     if (node()->hasTagName(tdTag) || node()->hasTagName(thTag))
-        return toHTMLTableCellElement(node())->colSpan();
+        return min<unsigned>(toHTMLTableCellElement(node())->colSpan(), maxColumnIndex);
 #if ENABLE(MATHML)
     if (node()->hasTagName(MathMLNames::mtdTag))
-        return toMathMLElement(node())->colSpan();
+        return min<unsigned>(toMathMLElement(node())->colSpan(), maxColumnIndex);
 #endif
     return 1;
 }
@@ -91,10 +91,10 @@ unsigned RenderTableCell::parseRowSpanFromDOM() const
 {
     ASSERT(node());
     if (node()->hasTagName(tdTag) || node()->hasTagName(thTag))
-        return toHTMLTableCellElement(node())->rowSpan();
+        return min<unsigned>(toHTMLTableCellElement(node())->rowSpan(), maxRowIndex);
 #if ENABLE(MATHML)
     if (node()->hasTagName(MathMLNames::mtdTag))
-        return toMathMLElement(node())->rowSpan();
+        return min<unsigned>(toMathMLElement(node())->rowSpan(), maxRowIndex);
 #endif
     return 1;
 }