limit mathml row- and colspans as we do for html
bug 443089 r/sr=bzbarsky
--- a/content/html/content/src/Makefile.in
+++ b/content/html/content/src/Makefile.in
@@ -148,12 +148,13 @@ FORCE_STATIC_LIB = 1
include $(topsrcdir)/config/rules.mk
INCLUDES += \
-I$(srcdir)/../../../base/src \
-I$(srcdir)/../../../events/src \
-I$(srcdir)/../../../xbl/src \
-I$(srcdir)/../../../../layout/style \
+ -I$(srcdir)/../../../../layout/tables \
-I$(srcdir) \
$(NULL)
DEFINES += -D_IMPL_NS_LAYOUT
--- a/content/html/content/src/nsHTMLTableCellElement.cpp
+++ b/content/html/content/src/nsHTMLTableCellElement.cpp
@@ -40,16 +40,17 @@
#include "nsIDOMEventTarget.h"
#include "nsMappedAttributes.h"
#include "nsGenericHTMLElement.h"
#include "nsGkAtoms.h"
#include "nsStyleConsts.h"
#include "nsPresContext.h"
#include "nsRuleData.h"
#include "nsIDocument.h"
+#include "celldata.h"
class nsHTMLTableCellElement : public nsGenericHTMLElement,
public nsIDOMHTMLTableCellElement
{
public:
nsHTMLTableCellElement(nsINodeInfo *aNodeInfo);
virtual ~nsHTMLTableCellElement();
@@ -256,19 +257,16 @@ nsHTMLTableCellElement::SetAlign(const n
static const nsAttrValue::EnumTable kCellScopeTable[] = {
{ "row", NS_STYLE_CELL_SCOPE_ROW },
{ "col", NS_STYLE_CELL_SCOPE_COL },
{ "rowgroup", NS_STYLE_CELL_SCOPE_ROWGROUP },
{ "colgroup", NS_STYLE_CELL_SCOPE_COLGROUP },
{ 0 }
};
-#define MAX_ROWSPAN 8190 // celldata.h can not handle more
-#define MAX_COLSPAN 1000 // limit as IE and opera do
-
PRBool
nsHTMLTableCellElement::ParseAttribute(PRInt32 aNamespaceID,
nsIAtom* aAttribute,
const nsAString& aValue,
nsAttrValue& aResult)
{
if (aNamespaceID == kNameSpaceID_None) {
/* ignore these attributes, stored simply as strings
--- a/layout/mathml/base/src/nsMathMLmtableFrame.cpp
+++ b/layout/mathml/base/src/nsMathMLmtableFrame.cpp
@@ -46,16 +46,17 @@
#include "nsIRenderingContext.h"
#include "nsIFontMetrics.h"
#include "nsVoidArray.h"
#include "nsCSSFrameConstructor.h"
#include "nsTableOuterFrame.h"
#include "nsTableFrame.h"
#include "nsTableCellFrame.h"
+#include "celldata.h"
#include "nsMathMLmtableFrame.h"
//
// <mtable> -- table or matrix - implementation
//
// helper function to perform an in-place split of a space-delimited string,
@@ -770,16 +771,17 @@ nsMathMLmtdFrame::GetRowSpan()
if ((mContent->Tag() == nsGkAtoms::mtd_) && !GetStyleContext()->GetPseudoType()) {
nsAutoString value;
mContent->GetAttr(kNameSpaceID_None, nsGkAtoms::rowspan, value);
if (!value.IsEmpty()) {
PRInt32 error;
rowspan = value.ToInteger(&error);
if (error || rowspan < 0)
rowspan = 1;
+ rowspan = PR_MIN(rowspan, MAX_ROWSPAN);
}
}
return rowspan;
}
PRInt32
nsMathMLmtdFrame::GetColSpan()
{
@@ -787,17 +789,17 @@ nsMathMLmtdFrame::GetColSpan()
// Don't look at the content's colspan if we're not an mtd or a pseudo cell.
if ((mContent->Tag() == nsGkAtoms::mtd_) && !GetStyleContext()->GetPseudoType()) {
nsAutoString value;
mContent->GetAttr(kNameSpaceID_None, nsGkAtoms::columnspan_, value);
if (!value.IsEmpty()) {
PRInt32 error;
colspan = value.ToInteger(&error);
- if (error || colspan < 0)
+ if (error || colspan < 0 || colspan > MAX_COLSPAN)
colspan = 1;
}
}
return colspan;
}
NS_IMETHODIMP
nsMathMLmtdFrame::AttributeChanged(PRInt32 aNameSpaceID,
--- a/layout/tables/celldata.h
+++ b/layout/tables/celldata.h
@@ -39,16 +39,20 @@
#include "nsISupports.h"
#include "nsCoord.h"
class nsTableCellFrame;
class nsCellMap;
class BCCellData;
+
+#define MAX_ROWSPAN 8190 // the cellmap can not handle more
+#define MAX_COLSPAN 1000 // limit as IE and opera do
+
/**
* Data stored by nsCellMap to rationalize rowspan and colspan cells.
*/
class CellData
{
public:
/** Initialize the mOrigCell pointer
* @param aOrigCell the table cell frame which will be stored in mOrigCell.
--- a/xpcom/glue/nsTArray.cpp
+++ b/xpcom/glue/nsTArray.cpp
@@ -60,17 +60,17 @@ nsTArray_base::EnsureCapacity(size_type
// This should be the most common case so test this first
if (capacity <= mHdr->mCapacity)
return PR_TRUE;
// If the requested memory allocation exceeds size_type(-1)/2, then our
// doubling algorithm may not be able to allocate it. Additionally we
// couldn't fit in the Header::mCapacity member. Just bail out in cases
// like that. We don't want to be allocating 2 GB+ arrays anyway.
- if (capacity * elemSize > size_type(-1)/2) {
+ if ((PRUint64)capacity * elemSize > size_type(-1)/2) {
NS_ERROR("Attempting to allocate excessively large array");
return PR_FALSE;
}
if (mHdr == &sEmptyHdr) {
// NS_Alloc new data
Header *header = static_cast<Header*>
(NS_Alloc(sizeof(Header) + capacity * elemSize));