From 0f6cfd754b15fe2902c0706ec0034701b3326edd Mon Sep 17 00:00:00 2001
From: "bmlk%gmx.de" <bmlk%gmx.de@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Wed, 21 Feb 2007 19:42:21 +0000
Subject: [PATCH] limit array access when a rowspan points to a already pushed
 row, bug 370360 r/sr=bzbarsky

git-svn-id: svn://10.0.0.236/trunk@220655 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/layout/tables/nsTableRowFrame.cpp     |  2 ++
 mozilla/layout/tables/nsTableRowFrame.h       |  1 +
 .../layout/tables/nsTableRowGroupFrame.cpp    | 23 +++++++++++--------
 3 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/mozilla/layout/tables/nsTableRowFrame.cpp b/mozilla/layout/tables/nsTableRowFrame.cpp
index fe24d8a3955..48487d0d120 100644
--- a/mozilla/layout/tables/nsTableRowFrame.cpp
+++ b/mozilla/layout/tables/nsTableRowFrame.cpp
@@ -1056,6 +1056,7 @@ nsTableRowFrame::Reflow(nsPresContext*          aPresContext,
 nscoord 
 nsTableRowFrame::ReflowCellFrame(nsPresContext*          aPresContext,
                                  const nsHTMLReflowState& aReflowState,
+                                 PRBool                   aIsTopOfPage,
                                  nsTableCellFrame*        aCellFrame,
                                  nscoord                  aAvailableHeight,
                                  nsReflowStatus&          aStatus)
@@ -1072,6 +1073,7 @@ nsTableRowFrame::ReflowCellFrame(nsPresContext*          aPresContext,
   nsTableCellReflowState cellReflowState(aPresContext, aReflowState,
                                          aCellFrame, availSize, PR_FALSE);
   InitChildReflowState(*aPresContext, availSize, borderCollapse, cellReflowState);
+  cellReflowState.mFlags.mIsTopOfPage = aIsTopOfPage;
 
   nsHTMLReflowMetrics desiredSize;
 
diff --git a/mozilla/layout/tables/nsTableRowFrame.h b/mozilla/layout/tables/nsTableRowFrame.h
index 6bc2436bfc5..888d253abaa 100644
--- a/mozilla/layout/tables/nsTableRowFrame.h
+++ b/mozilla/layout/tables/nsTableRowFrame.h
@@ -158,6 +158,7 @@ public:
   /** used by row group frame code */
   nscoord ReflowCellFrame(nsPresContext*          aPresContext,
                           const nsHTMLReflowState& aReflowState,
+                          PRBool                   aIsTopOfPage,
                           nsTableCellFrame*        aCellFrame,
                           nscoord                  aAvailableHeight,
                           nsReflowStatus&          aStatus);
diff --git a/mozilla/layout/tables/nsTableRowGroupFrame.cpp b/mozilla/layout/tables/nsTableRowGroupFrame.cpp
index cce9b411d8c..96697bf51bf 100644
--- a/mozilla/layout/tables/nsTableRowGroupFrame.cpp
+++ b/mozilla/layout/tables/nsTableRowGroupFrame.cpp
@@ -576,13 +576,13 @@ nsTableRowGroupFrame::CalculateRowHeights(nsPresContext*          aPresContext,
 
   PRInt32 numRows = GetRowCount() - (startRowFrame->GetRowIndex() - GetStartRowIndex());
   // collect the current height of each row.  nscoord* rowHeights = nsnull;
-  RowInfo* rowInfo;
-  if (numRows > 0) {
-    rowInfo = new RowInfo[numRows];
-    if (!rowInfo) return;
-    memset (rowInfo, 0, numRows*sizeof(RowInfo));
-  } 
-  else return;
+  if (numRows <= 0)
+    return;
+
+  nsTArray<RowInfo> rowInfo;
+  if (!rowInfo.AppendElements(numRows)) {
+    return;
+  }
 
   PRBool  hasRowSpanningCell = PR_FALSE;
   nscoord heightOfRows = 0;
@@ -643,6 +643,10 @@ nsTableRowGroupFrame::CalculateRowHeights(nsPresContext*          aPresContext,
         // iteratate the row's cell frames 
         while (cellFrame) {
           PRInt32 rowSpan = tableFrame->GetEffectiveRowSpan(rowIndex + startRowIndex, *cellFrame);
+          if ((rowIndex + rowSpan) > numRows) {
+            // there might be rows pushed already to the nextInFlow
+            rowSpan = numRows - rowIndex;
+          }
           if (rowSpan > 1) { // a cell with rowspan > 1, determine the height of the rows it spans
             nscoord heightOfRowsSpanned = 0;
             nscoord heightOfUnStyledRowsSpanned = 0;
@@ -818,7 +822,6 @@ nsTableRowGroupFrame::CalculateRowHeights(nsPresContext*          aPresContext,
   DidResizeRows(aDesiredSize);
 
   aDesiredSize.height = rowGroupHeight; // Adjust our desired size
-  delete [] rowInfo; // cleanup
 }
 
 nscoord
@@ -949,7 +952,9 @@ nsTableRowGroupFrame::SplitSpanningCells(nsPresContext&          aPresContext,
         // Ask the row to reflow the cell to the height of all the rows it spans up through aLastRow
         // aAvailHeight is the space between the row group start and the end of the page
         nscoord cellAvailHeight = aAvailHeight - rowPos.y;
-        nscoord cellHeight = row->ReflowCellFrame(&aPresContext, aReflowState, cell, 
+        PRBool isTopOfPage = (row == &aFirstRow) && aFirstRowIsTopOfPage;
+        nscoord cellHeight = row->ReflowCellFrame(&aPresContext, aReflowState,
+                                                  isTopOfPage, cell,
                                                   cellAvailHeight, status);
         aDesiredHeight = PR_MAX(aDesiredHeight, rowPos.y + cellHeight);
         if (NS_FRAME_IS_COMPLETE(status)) {