Bug 898563. r=botond
authorKartikaya Gupta <kgupta@mozilla.com>
Fri, 21 Feb 2014 17:58:30 -0500
changeset 169966 21bbea0bdc12ebeaf9e2751c816de8418b13f41c
parent 169965 ae91046b210ac57e984b7f9090e5519e1719a2bb
child 169967 1f1bb2f2f868dae9381d6e998efc8b49d33cf982
child 170004 bb7ba9f95aaea6bb49cf54524e5c51e29d0f0f4e
push id40113
push userkgupta@mozilla.com
push dateFri, 21 Feb 2014 22:59:16 +0000
treeherdermozilla-inbound@21bbea0bdc12 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbotond
bugs898563
milestone30.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 898563. r=botond
gfx/layers/ipc/AsyncPanZoomController.cpp
layout/ipc/RenderFrameParent.cpp
--- a/gfx/layers/ipc/AsyncPanZoomController.cpp
+++ b/gfx/layers/ipc/AsyncPanZoomController.cpp
@@ -1738,16 +1738,21 @@ void AsyncPanZoomController::NotifyLayer
 }
 
 const FrameMetrics& AsyncPanZoomController::GetFrameMetrics() {
   mMonitor.AssertCurrentThreadIn();
   return mFrameMetrics;
 }
 
 void AsyncPanZoomController::ZoomToRect(CSSRect aRect) {
+  if (!aRect.IsFinite()) {
+    NS_WARNING("ZoomToRect got called with a non-finite rect; ignoring...\n");
+    return;
+  }
+
   SetState(ANIMATING_ZOOM);
 
   {
     ReentrantMonitorAutoEnter lock(mMonitor);
 
     ScreenIntRect compositionBounds = mFrameMetrics.mCompositionBounds;
     CSSRect cssPageRect = mFrameMetrics.mScrollableRect;
     CSSPoint scrollOffset = mFrameMetrics.mScrollOffset;
@@ -1968,19 +1973,27 @@ void AsyncPanZoomController::SetContentR
 void AsyncPanZoomController::TimeoutContentResponse() {
   mContentResponseTimeoutTask = nullptr;
   ContentReceivedTouch(false);
 }
 
 void AsyncPanZoomController::UpdateZoomConstraints(const ZoomConstraints& aConstraints) {
   APZC_LOG("%p updating zoom constraints to %d %f %f\n", this, aConstraints.mAllowZoom,
     aConstraints.mMinZoom.scale, aConstraints.mMaxZoom.scale);
+  if (IsFloatNaN(aConstraints.mMinZoom.scale) || IsFloatNaN(aConstraints.mMinZoom.scale)) {
+    NS_WARNING("APZC received zoom constraints with NaN values; dropping...\n");
+    return;
+  }
+  // inf float values and other bad cases should be sanitized by the code below.
   mZoomConstraints.mAllowZoom = aConstraints.mAllowZoom;
   mZoomConstraints.mMinZoom = (MIN_ZOOM > aConstraints.mMinZoom ? MIN_ZOOM : aConstraints.mMinZoom);
   mZoomConstraints.mMaxZoom = (MAX_ZOOM > aConstraints.mMaxZoom ? aConstraints.mMaxZoom : MAX_ZOOM);
+  if (mZoomConstraints.mMaxZoom < mZoomConstraints.mMinZoom) {
+    mZoomConstraints.mMaxZoom = mZoomConstraints.mMinZoom;
+  }
 }
 
 ZoomConstraints
 AsyncPanZoomController::GetZoomConstraints() const
 {
   return mZoomConstraints;
 }
 
--- a/layout/ipc/RenderFrameParent.cpp
+++ b/layout/ipc/RenderFrameParent.cpp
@@ -1128,16 +1128,21 @@ RenderFrameParent::ZoomToRect(uint32_t a
                                      aRect);
   }
 }
 
 void
 RenderFrameParent::ContentReceivedTouch(const ScrollableLayerGuid& aGuid,
                                         bool aPreventDefault)
 {
+  if (aGuid.mLayersId != mLayersId) {
+    // Guard against bad data from hijacked child processes
+    NS_ERROR("Unexpected layers id in ContentReceivedTouch; dropping message...");
+    return;
+  }
   if (GetApzcTreeManager()) {
     GetApzcTreeManager()->ContentReceivedTouch(aGuid, aPreventDefault);
   }
 }
 
 void
 RenderFrameParent::UpdateZoomConstraints(uint32_t aPresShellId,
                                          ViewID aViewId,