From 3ca392a8e31f589b7d0deda877908f3781a16f44 Mon Sep 17 00:00:00 2001
From: "bzbarsky%mit.edu"
 <bzbarsky%mit.edu@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Wed, 26 Apr 2006 15:54:48 +0000
Subject: [PATCH] Make sure to never read off the end of the buffer in
 HasTerminalNewline().  Bug 335320, r+sr=roc

git-svn-id: svn://10.0.0.236/trunk@195446 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/layout/generic/nsTextFrame.cpp | 38 ++++++++++++++++++++++++--
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/mozilla/layout/generic/nsTextFrame.cpp b/mozilla/layout/generic/nsTextFrame.cpp
index c51e1d3b775..c4758cd0916 100644
--- a/mozilla/layout/generic/nsTextFrame.cpp
+++ b/mozilla/layout/generic/nsTextFrame.cpp
@@ -253,7 +253,11 @@ protected:
 
 class nsTextFrame : public nsFrame {
 public:
-  nsTextFrame(nsStyleContext* aContext) : nsFrame(aContext) {}
+  nsTextFrame(nsStyleContext* aContext) : nsFrame(aContext)
+  {
+    NS_ASSERTION(mContentOffset == 0, "Bogus content offset");
+    NS_ASSERTION(mContentLength == 0, "Bogus content length");
+  }
   
   // nsIFrame
   NS_IMETHOD BuildDisplayList(nsDisplayListBuilder*   aBuilder,
@@ -262,6 +266,10 @@ public:
                               
   void PaintText(nsIRenderingContext& aRenderingContext, nsPoint aPt);
   
+  NS_IMETHOD Init(nsIContent*      aContent,
+                  nsIFrame*        aParent,
+                  nsIFrame*        aPrevInFlow);
+
   virtual void Destroy();
   
   NS_IMETHOD GetCursor(const nsPoint& aPoint,
@@ -1391,6 +1399,28 @@ NS_IMETHODIMP nsTextFrame::GetAccessible(nsIAccessible** aAccessible)
 
 
 //-----------------------------------------------------------------------------
+NS_IMETHODIMP
+nsTextFrame::Init(nsIContent*      aContent,
+                  nsIFrame*        aParent,
+                  nsIFrame*        aPrevInFlow)
+{
+  nsresult rv = nsFrame::Init(aContent, aParent, aPrevInFlow);
+  if (NS_SUCCEEDED(rv) && !aPrevInFlow &&
+      GetStyleText()->WhiteSpaceIsSignificant()) {
+    // We care about our actual length in this case, so we can report the right
+    // thing from HasTerminalNewline().  Since we're not a continuing frame, we
+    // should map the whole content node.
+
+    // Note that if we're created due to bidi splitting the bidi code
+    // will override what we compute here, so it's ok.
+    nsCOMPtr<nsITextContent> tc = do_QueryInterface(mContent);
+    if (tc) {
+      mContentLength = tc->Text()->GetLength();
+    }
+  }
+  return rv;
+}
+
 void
 nsTextFrame::Destroy()
 {
@@ -1929,11 +1959,15 @@ nsTextFrame::CharacterDataChanged(nsPresContext* aPresContext,
   }
 
   if (markAllDirty) {
-    // Mark this frame and all the next-in-flow frames as dirty
+    // Mark this frame and all the next-in-flow frames as dirty and reset all
+    // the content offsets and lengths to 0, since they no longer know what
+    // content is ok to access.
     nsTextFrame*  textFrame = this;
     while (textFrame) {
       textFrame->mState &= ~TEXT_WHITESPACE_FLAGS;
       textFrame->mState |= NS_FRAME_IS_DIRTY;
+      textFrame->mContentOffset = 0;
+      textFrame->mContentLength = 0;
       textFrame = NS_STATIC_CAST(nsTextFrame*, textFrame->GetNextContinuation());
     }
   }