Reviewed by Maciej.
- another large rowspan test case
* fast/table/large-rowspan-crash-expected.txt: Added.
* fast/table/large-rowspan-crash.html: Added.
WebCore:
Reviewed by Maciej.
- fix http://bugzilla.opendarwin.org/show_bug.cgi?id=9806
<rdar://problem/
4622622>
REGRESSION: Large rowspan causes WebKit to call abort()
Test: fast/table/large-rowspan-crash.html
* rendering/RenderTableSection.cpp:
(WebCore::RenderTableSection::ensureRows):
Use sizeof(RowStruct) instead of sizeof(int).
Clearly we'll need something better to solve this completely.
I expect another smaller, but still huge, value will still cause a problem.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@15390
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2006-07-13 Darin Adler <darin@apple.com>
+
+ Reviewed by Maciej.
+
+ - another large rowspan test case
+
+ * fast/table/large-rowspan-crash-expected.txt: Added.
+ * fast/table/large-rowspan-crash.html: Added.
+
2006-07-12 Anders Carlsson <acarlsson@apple.com>
Reviewed by Maciej.
--- /dev/null
+If the browser didn't crash, the test passed.
+
+
+
+Property changes on: LayoutTests/fast/table/large-rowspan-crash-expected.txt
+___________________________________________________________________
+Name: svn:eol-style
+ + native
+
--- /dev/null
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+<table><td rowspan=674227123></td></table>
+<p>If the browser didn't crash, the test passed.</p>
+
+Property changes on: LayoutTests/fast/table/large-rowspan-crash.html
+___________________________________________________________________
+Name: svn:mime-type
+ + text/html
+Name: svn:eol-style
+ + native
+
+2006-07-13 Darin Adler <darin@apple.com>
+
+ Reviewed by Maciej.
+
+ - fix http://bugzilla.opendarwin.org/show_bug.cgi?id=9806
+ <rdar://problem/4622622>
+ REGRESSION: Large rowspan causes WebKit to call abort()
+
+ Test: fast/table/large-rowspan-crash.html
+
+ * rendering/RenderTableSection.cpp:
+ (WebCore::RenderTableSection::ensureRows):
+ Use sizeof(RowStruct) instead of sizeof(int).
+ Clearly we'll need something better to solve this completely.
+ I expect another smaller, but still huge, value will still cause a problem.
+
2006-07-12 Anders Carlsson <acarlsson@apple.com>
Reviewed by Maciej.
int nRows = gridRows;
if (numRows > nRows) {
if (numRows > static_cast<int>(grid.size())) {
- if (numRows > static_cast<int>(numeric_limits<size_t>::max() / sizeof(int)))
+ if (numRows > static_cast<int>(numeric_limits<size_t>::max() / sizeof(RowStruct)))
return false;
grid.resize(numRows);
}
git://git.webkit.org / WebKit-https.git / commitdiff