From f9da4499faa3c01c19fe8735669210d76da6cf63 Mon Sep 17 00:00:00 2001
From: "dbaron%fas.harvard.edu"
 <dbaron%fas.harvard.edu@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Tue, 16 Jul 2002 14:53:43 +0000
Subject: [PATCH] Work around crashes at ChildIterator::get using bounds check
 on ChildIterator::seek.  sr=waterson  r=kin  a=asa  b=133219

git-svn-id: svn://10.0.0.236/trunk@125295 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/layout/base/nsChildIterator.h           | 10 +++++++---
 mozilla/layout/html/style/src/nsChildIterator.h | 10 +++++++---
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/mozilla/layout/base/nsChildIterator.h b/mozilla/layout/base/nsChildIterator.h
index b07db1e1180..d0f8da36358 100644
--- a/mozilla/layout/base/nsChildIterator.h
+++ b/mozilla/layout/base/nsChildIterator.h
@@ -125,8 +125,9 @@ public:
   }
 
   void seek(PRUint32 aIndex) {
-#ifdef DEBUG
-    // Make sure that aIndex is reasonable
+    // Make sure that aIndex is reasonable.  This should be |#ifdef
+    // DEBUG|, but we need these numbers for the temporary workaround
+    // for bug 133219.
     PRUint32 length;
     if (mNodes)
       mNodes->GetLength(&length);
@@ -134,7 +135,10 @@ public:
       mContent->ChildCount(NS_REINTERPRET_CAST(PRInt32&, length));
 
     NS_ASSERTION(PRInt32(aIndex) >= 0 && aIndex <= length, "out of bounds");
-#endif
+
+    // Temporary workaround for bug 133219.
+    if (aIndex > length)
+      aIndex = length;
 
     mIndex = aIndex;
   }
diff --git a/mozilla/layout/html/style/src/nsChildIterator.h b/mozilla/layout/html/style/src/nsChildIterator.h
index b07db1e1180..d0f8da36358 100644
--- a/mozilla/layout/html/style/src/nsChildIterator.h
+++ b/mozilla/layout/html/style/src/nsChildIterator.h
@@ -125,8 +125,9 @@ public:
   }
 
   void seek(PRUint32 aIndex) {
-#ifdef DEBUG
-    // Make sure that aIndex is reasonable
+    // Make sure that aIndex is reasonable.  This should be |#ifdef
+    // DEBUG|, but we need these numbers for the temporary workaround
+    // for bug 133219.
     PRUint32 length;
     if (mNodes)
       mNodes->GetLength(&length);
@@ -134,7 +135,10 @@ public:
       mContent->ChildCount(NS_REINTERPRET_CAST(PRInt32&, length));
 
     NS_ASSERTION(PRInt32(aIndex) >= 0 && aIndex <= length, "out of bounds");
-#endif
+
+    // Temporary workaround for bug 133219.
+    if (aIndex > length)
+      aIndex = length;
 
     mIndex = aIndex;
   }