Title: [99074] branches/chromium/912/Source/WebCore/css/CSSParser.cpp
- Revision
- 99074
- Author
- cev...@google.com
- Date
- 2011-11-02 09:48:30 -0700 (Wed, 02 Nov 2011)
Log Message
Merge 98374
BUG=101010
Review URL: http://codereview.chromium.org/8386038
Modified Paths
Diff
Modified: branches/chromium/912/Source/WebCore/css/CSSParser.cpp (99073 => 99074)
--- branches/chromium/912/Source/WebCore/css/CSSParser.cpp 2011-11-02 16:46:58 UTC (rev 99073)
+++ branches/chromium/912/Source/WebCore/css/CSSParser.cpp 2011-11-02 16:48:30 UTC (rev 99074)
@@ -615,9 +615,9 @@
{
OwnPtr<CSSProperty> prop(adoptPtr(new CSSProperty(propId, value, important, m_currentShorthand, m_implicitShorthand)));
if (m_numParsedProperties >= m_maxParsedProperties) {
+ if (m_numParsedProperties > (UINT_MAX / sizeof(CSSProperty*)) - 32)
+ CRASH(); // Avoid inconsistencies with rollbackLastProperties.
m_maxParsedProperties += 32;
- if (m_maxParsedProperties > UINT_MAX / sizeof(CSSProperty*))
- return;
m_parsedProperties = static_cast<CSSProperty**>(fastRealloc(m_parsedProperties,
m_maxParsedProperties * sizeof(CSSProperty*)));
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
