Fix for bug 11924: WebCore would crash on any HTML content
with a non-empty <table> tag in it on a 64-bit machine. The
size_t (64bit) vs int (32bit) cast is now fixed in ensureRows,
and the clients of this function have been updated to check
for a false return code.
Reviewed by Darin
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@18834 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/rendering/RenderTableSection.cpp b/WebCore/rendering/RenderTableSection.cpp
index 873309d..9704987 100644
--- a/WebCore/rendering/RenderTableSection.cpp
+++ b/WebCore/rendering/RenderTableSection.cpp
@@ -131,7 +131,10 @@
++m_cRow;
m_cCol = 0;
- ensureRows(m_cRow + 1);
+ // make sure we have enough rows
+ if (!ensureRows(m_cRow + 1))
+ return;
+
m_grid[m_cRow].rowRenderer = child;
if (!beforeChild) {
@@ -152,7 +155,8 @@
int nRows = m_gridRows;
if (numRows > nRows) {
if (numRows > static_cast<int>(m_grid.size())) {
- if (numRows > static_cast<int>(numeric_limits<size_t>::max() / sizeof(RowStruct)))
+ size_t maxSize = numeric_limits<size_t>::max() / sizeof(RowStruct);
+ if (static_cast<size_t>(numRows) > maxSize)
return false;
m_grid.resize(numRows);
}
@@ -924,7 +928,8 @@
if (row->isTableRow()) {
m_cRow++;
m_cCol = 0;
- ensureRows(m_cRow + 1);
+ if (!ensureRows(m_cRow + 1))
+ break;
m_grid[m_cRow].rowRenderer = row;
for (RenderObject* cell = row->firstChild(); cell; cell = cell->nextSibling()) {
