Bug 692145 - Wallpaper text offset out-of-bounds crash. r=masayuki
authorMats Palmgren <matspal@gmail.com>
Tue, 31 Jan 2012 11:37:21 +0900
changeset 86933 7597b7feee736c3ef8584a91d7ef45b2e3dd707e
parent 86932 836b5e3bc8164fda8866dedf289335f07195f73a
child 86934 481d57edc9b1db5f0febaeef45b36a1c0bcf3f13
push id805
push userakeybl@mozilla.com
push dateWed, 01 Feb 2012 18:17:35 +0000
treeherdermozilla-aurora@6fb3bf232436 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmasayuki
bugs692145
milestone12.0a1
Bug 692145 - Wallpaper text offset out-of-bounds crash. r=masayuki
content/events/src/nsContentEventHandler.cpp
--- a/content/events/src/nsContentEventHandler.cpp
+++ b/content/events/src/nsContentEventHandler.cpp
@@ -209,22 +209,21 @@ static void AppendSubString(nsAString& a
 #if defined(XP_WIN)
 static PRUint32 CountNewlinesIn(nsIContent* aContent, PRUint32 aMaxOffset)
 {
   NS_ASSERTION(aContent->IsNodeOfType(nsINode::eTEXT),
                "aContent is not a text node!");
   const nsTextFragment* text = aContent->GetText();
   if (!text)
     return 0;
-  if (aMaxOffset == PR_UINT32_MAX) {
-    // search the entire string
-    aMaxOffset = text->GetLength();
-  }
+  NS_ASSERTION(aMaxOffset == PR_UINT32_MAX || aMaxOffset <= text->GetLength(),
+               "text offset is out-of-bounds");
+  const PRUint32 length = NS_MIN(aMaxOffset, text->GetLength());
   PRUint32 newlines = 0;
-  for (PRUint32 i = 0; i < aMaxOffset; ++i) {
+  for (PRUint32 i = 0; i < length; ++i) {
     if (text->CharAt(i) == '\n') {
       ++newlines;
     }
   }
   return newlines;
 }
 #endif