From f282ed34fec9761431e145924b5b2ebadc489a90 Mon Sep 17 00:00:00 2001
From: Mats Palmgren <matspal@gmail.com>
Date: Wed, 14 Apr 2010 21:35:36 +0200
Subject: [PATCH] Use NSCoordSaturatingAdd to avoid integer overflow. b=541714
 r=roc

---
 layout/generic/crashtests/541714-1.html   |  3 +++
 layout/generic/crashtests/541714-2.html   |  3 +++
 layout/generic/crashtests/crashtests.list |  2 ++
 layout/generic/nsBlockFrame.cpp           | 12 +++++++++---
 4 files changed, 17 insertions(+), 3 deletions(-)
 create mode 100644 layout/generic/crashtests/541714-1.html
 create mode 100644 layout/generic/crashtests/541714-2.html

diff --git a/layout/generic/crashtests/541714-1.html b/layout/generic/crashtests/541714-1.html
new file mode 100644
index 00000000000..e790358e0e5
--- /dev/null
+++ b/layout/generic/crashtests/541714-1.html
@@ -0,0 +1,3 @@
+<html style="overflow: hidden;">
+<body style="overflow: hidden;  direction: rtl; padding: 0 64635% 0 66421238918787500pt; width: 39779329pt;"></body>
+</html>
diff --git a/layout/generic/crashtests/541714-2.html b/layout/generic/crashtests/541714-2.html
new file mode 100644
index 00000000000..dc163436577
--- /dev/null
+++ b/layout/generic/crashtests/541714-2.html
@@ -0,0 +1,3 @@
+<html style="overflow: hidden;">
+<body style="overflow: hidden;  direction: rtl; padding: 64635% 0 66421238918787500pt 0; height: 39779329pt;"></body>
+</html>
diff --git a/layout/generic/crashtests/crashtests.list b/layout/generic/crashtests/crashtests.list
index 425807453f3..41743da854d 100644
--- a/layout/generic/crashtests/crashtests.list
+++ b/layout/generic/crashtests/crashtests.list
@@ -294,4 +294,6 @@ load 533379-2.html
 load 534082-1.html
 load 541277-1.html
 load 541277-2.html
+load 541714-1.html
+load 541714-2.html
 load 551635-1.html
diff --git a/layout/generic/nsBlockFrame.cpp b/layout/generic/nsBlockFrame.cpp
index c5993e71daa..5cf0a8a1886 100644
--- a/layout/generic/nsBlockFrame.cpp
+++ b/layout/generic/nsBlockFrame.cpp
@@ -1249,8 +1249,10 @@ nsBlockFrame::ComputeFinalSize(const nsHTMLReflowState& aReflowState,
 #endif
 
   // Compute final width
-  aMetrics.width = borderPadding.left + aReflowState.ComputedWidth() +
-    borderPadding.right;
+  aMetrics.width =
+    NSCoordSaturatingAdd(NSCoordSaturatingAdd(borderPadding.left,
+                                              aReflowState.ComputedWidth()), 
+                         borderPadding.right);
 
   // Return bottom margin information
   // rbs says he hit this assertion occasionally (see bug 86947), so
@@ -1321,7 +1323,11 @@ nsBlockFrame::ComputeFinalSize(const nsHTMLReflowState& aReflowState,
                     && computedHeightLeftOver ),
                  "overflow container must not have computedHeightLeftOver");
 
-    aMetrics.height = borderPadding.top + computedHeightLeftOver + borderPadding.bottom;
+    aMetrics.height =
+      NSCoordSaturatingAdd(NSCoordSaturatingAdd(borderPadding.top,
+                                                computedHeightLeftOver),
+                           borderPadding.bottom);
+
     if (NS_FRAME_IS_NOT_COMPLETE(aState.mReflowStatus)
         && aMetrics.height < aReflowState.availableHeight) {
       // We ran out of height on this page but we're incomplete