Make sure to never read off the end of the buffer in HasTerminalNewline(). Bug

335320, r+sr=roc git-svn-id: svn://10.0.0.236/trunk@195446 18797224-902f-48f8-a5cc-f745e15eee43
2006-04-26 15:54:48 +00:00 · 2006-04-26 15:54:48 +00:00 · 3ca392a8e3
commit 3ca392a8e3
parent 2fb73b3a53
1 changed files with 36 additions and 2 deletions
--- a/mozilla/layout/generic/nsTextFrame.cpp
+++ b/mozilla/layout/generic/nsTextFrame.cpp
@ -253,7 +253,11 @@ protected:

 class nsTextFrame : public nsFrame {
 public:
-  nsTextFrame(nsStyleContext* aContext) : nsFrame(aContext) {}
+  nsTextFrame(nsStyleContext* aContext) : nsFrame(aContext)
+  {
+    NS_ASSERTION(mContentOffset == 0, "Bogus content offset");
+    NS_ASSERTION(mContentLength == 0, "Bogus content length");
+  }
  
  // nsIFrame
  NS_IMETHOD BuildDisplayList(nsDisplayListBuilder*   aBuilder,
@ -262,6 +266,10 @@ public:
                              
  void PaintText(nsIRenderingContext& aRenderingContext, nsPoint aPt);
  
+  NS_IMETHOD Init(nsIContent*      aContent,
+                  nsIFrame*        aParent,
+                  nsIFrame*        aPrevInFlow);
+
  virtual void Destroy();
  
  NS_IMETHOD GetCursor(const nsPoint& aPoint,
@ -1391,6 +1399,28 @@ NS_IMETHODIMP nsTextFrame::GetAccessible(nsIAccessible** aAccessible)


 //-----------------------------------------------------------------------------
+NS_IMETHODIMP
+nsTextFrame::Init(nsIContent*      aContent,
+                  nsIFrame*        aParent,
+                  nsIFrame*        aPrevInFlow)
+{
+  nsresult rv = nsFrame::Init(aContent, aParent, aPrevInFlow);
+  if (NS_SUCCEEDED(rv) && !aPrevInFlow &&
+      GetStyleText()->WhiteSpaceIsSignificant()) {
+    // We care about our actual length in this case, so we can report the right
+    // thing from HasTerminalNewline().  Since we're not a continuing frame, we
+    // should map the whole content node.
+
+    // Note that if we're created due to bidi splitting the bidi code
+    // will override what we compute here, so it's ok.
+    nsCOMPtr<nsITextContent> tc = do_QueryInterface(mContent);
+    if (tc) {
+      mContentLength = tc->Text()->GetLength();
+    }
+  }
+  return rv;
+}
+
 void
 nsTextFrame::Destroy()
 {
@ -1929,11 +1959,15 @@ nsTextFrame::CharacterDataChanged(nsPresContext* aPresContext,
  }

  if (markAllDirty) {
-    // Mark this frame and all the next-in-flow frames as dirty
+    // Mark this frame and all the next-in-flow frames as dirty and reset all
+    // the content offsets and lengths to 0, since they no longer know what
+    // content is ok to access.
    nsTextFrame*  textFrame = this;
    while (textFrame) {
      textFrame->mState &= ~TEXT_WHITESPACE_FLAGS;
      textFrame->mState |= NS_FRAME_IS_DIRTY;
+      textFrame->mContentOffset = 0;
+      textFrame->mContentLength = 0;
      textFrame = NS_STATIC_CAST(nsTextFrame*, textFrame->GetNextContinuation());
    }
  }