limit mathml row- and colspans as we do for html bug 443089 r/sr=bzbarsky

This commit is contained in:
Bernd 2008-07-16 17:02:18 +02:00
parent 37326663f4
commit d8f4877b29
5 changed files with 10 additions and 5 deletions

View File

@ -153,6 +153,7 @@ INCLUDES += \
-I$(srcdir)/../../../events/src \
-I$(srcdir)/../../../xbl/src \
-I$(srcdir)/../../../../layout/style \
-I$(srcdir)/../../../../layout/tables \
-I$(srcdir) \
$(NULL)

View File

@ -45,6 +45,7 @@
#include "nsPresContext.h"
#include "nsRuleData.h"
#include "nsIDocument.h"
#include "celldata.h"
class nsHTMLTableCellElement : public nsGenericHTMLElement,
public nsIDOMHTMLTableCellElement
@ -261,9 +262,6 @@ static const nsAttrValue::EnumTable kCellScopeTable[] = {
{ 0 }
};
#define MAX_ROWSPAN 8190 // celldata.h can not handle more
#define MAX_COLSPAN 1000 // limit as IE and opera do
PRBool
nsHTMLTableCellElement::ParseAttribute(PRInt32 aNamespaceID,
nsIAtom* aAttribute,

View File

@ -51,6 +51,7 @@
#include "nsTableOuterFrame.h"
#include "nsTableFrame.h"
#include "nsTableCellFrame.h"
#include "celldata.h"
#include "nsMathMLmtableFrame.h"
@ -775,6 +776,7 @@ nsMathMLmtdFrame::GetRowSpan()
rowspan = value.ToInteger(&error);
if (error || rowspan < 0)
rowspan = 1;
rowspan = PR_MIN(rowspan, MAX_ROWSPAN);
}
}
return rowspan;
@ -792,7 +794,7 @@ nsMathMLmtdFrame::GetColSpan()
if (!value.IsEmpty()) {
PRInt32 error;
colspan = value.ToInteger(&error);
if (error || colspan < 0)
if (error || colspan < 0 || colspan > MAX_COLSPAN)
colspan = 1;
}
}

View File

@ -44,6 +44,10 @@ class nsTableCellFrame;
class nsCellMap;
class BCCellData;
#define MAX_ROWSPAN 8190 // the cellmap can not handle more
#define MAX_COLSPAN 1000 // limit as IE and opera do
/**
* Data stored by nsCellMap to rationalize rowspan and colspan cells.
*/

View File

@ -65,7 +65,7 @@ nsTArray_base::EnsureCapacity(size_type capacity, size_type elemSize) {
// doubling algorithm may not be able to allocate it. Additionally we
// couldn't fit in the Header::mCapacity member. Just bail out in cases
// like that. We don't want to be allocating 2 GB+ arrays anyway.
if (capacity * elemSize > size_type(-1)/2) {
if ((PRUint64)capacity * elemSize > size_type(-1)/2) {
NS_ERROR("Attempting to allocate excessively large array");
return PR_FALSE;
}