diff -u -8 -p -r3.263 nsCSSRendering.cpp

--- a/layout/base/nsCSSRendering.cpp	2 Aug 2005 20:11:09 -0000	3.263

+++ b/layout/base/nsCSSRendering.cpp	1 Nov 2005 19:44:57 -0000

@@ -3626,20 +3626,24 @@ nsCSSRendering::RenderSide(nsFloatPoint 

         // solid code below....

       case NS_STYLE_BORDER_STYLE_AUTO:

       case NS_STYLE_BORDER_STYLE_SOLID:

         polypath[0].x = NSToCoordRound(aPoints[0].x);

         polypath[0].y = NSToCoordRound(aPoints[0].y);

         curIndex = 1;

         GetPath(aPoints,polypath,&curIndex,eOutside,c1Index);

         c2Index = curIndex;

+        if (curIndex >= MAXPOLYPATHSIZE)

+          return;

         polypath[curIndex].x = NSToCoordRound(aPoints[6].x);

         polypath[curIndex].y = NSToCoordRound(aPoints[6].y);

         curIndex++;

         GetPath(aPoints,polypath,&curIndex,eInside,junk);

+        if (curIndex >= MAXPOLYPATHSIZE)

+          return;

         polypath[curIndex].x = NSToCoordRound(aPoints[0].x);

         polypath[curIndex].y = NSToCoordRound(aPoints[0].y);

         curIndex++;

         aRenderingContext.FillPolygon(polypath,curIndex);

 

        break;

       case NS_STYLE_BORDER_STYLE_DOUBLE:

         polypath[0].x = NSToCoordRound(aPoints[0].x);

@@ -3661,39 +3665,47 @@ nsCSSRendering::RenderSide(nsFloatPoint 

         {

         const nsStyleBackground* bgColor = nsCSSRendering::FindNonTransparentBackground(aStyleContext);

         aRenderingContext.SetColor ( MakeBevelColor (aSide, border_Style, bgColor->mBackgroundColor,sideColor, PR_TRUE));

 

         polypath[0].x = NSToCoordRound(aPoints[0].x);

         polypath[0].y = NSToCoordRound(aPoints[0].y);

         curIndex = 1;

         GetPath(aPoints,polypath,&curIndex,eOutside,c1Index);

+        if (curIndex >= MAXPOLYPATHSIZE)

+          return;

         polypath[curIndex].x = NSToCoordRound((aPoints[5].x + aPoints[6].x)/2.0f);

         polypath[curIndex].y = NSToCoordRound((aPoints[5].y + aPoints[6].y)/2.0f);

         curIndex++;

         GetPath(aPoints,polypath,&curIndex,eCalcRev,c1Index,.5);

+        if (curIndex >= MAXPOLYPATHSIZE)

+          return;

         polypath[curIndex].x = NSToCoordRound(aPoints[0].x);

         polypath[curIndex].y = NSToCoordRound(aPoints[0].y);

         curIndex++;

         aRenderingContext.FillPolygon(polypath,curIndex);

 

         aRenderingContext.SetColor ( MakeBevelColor (aSide, 

                                                 ((border_Style == NS_STYLE_BORDER_STYLE_RIDGE) ?

                                                 NS_STYLE_BORDER_STYLE_GROOVE :

                                                 NS_STYLE_BORDER_STYLE_RIDGE), 

                                                 bgColor->mBackgroundColor,sideColor, PR_TRUE));

        

         polypath[0].x = NSToCoordRound((aPoints[0].x + aPoints[11].x)/2.0f);

         polypath[0].y = NSToCoordRound((aPoints[0].y + aPoints[11].y)/2.0f);

         curIndex = 1;

         GetPath(aPoints,polypath,&curIndex,eCalc,c1Index,.5);

+        if (curIndex >= MAXPOLYPATHSIZE)

+          return;

         polypath[curIndex].x = NSToCoordRound(aPoints[6].x) ;

         polypath[curIndex].y = NSToCoordRound(aPoints[6].y);

         curIndex++;

         GetPath(aPoints,polypath,&curIndex,eInside,c1Index);

+        if (curIndex >= MAXPOLYPATHSIZE)

+          return;

         polypath[curIndex].x = NSToCoordRound(aPoints[0].x);

         polypath[curIndex].y = NSToCoordRound(aPoints[0].y);

         curIndex++;

         aRenderingContext.FillPolygon(polypath,curIndex);

         }

         break;

       default:

         break;

@@ -3874,95 +3886,122 @@ RoundedRect::GetRoundedBorders(QBCurve &

  *  @param aCurIndex -- the index that points to the last element of the array

  *  @param aPathType -- what kind of path that should be returned

  *  @param aFrac -- the inset amount for a eCalc type path

  */

 static void 

 GetPath(nsFloatPoint aPoints[],nsPoint aPolyPath[],PRInt32 *aCurIndex,ePathTypes  aPathType,PRInt32 &aC1Index,float aFrac)

 {

   QBCurve thecurve;

+  

+  if (*aCurIndex >= MAXPOLYPATHSIZE)

+    return;

 

   switch (aPathType) {

     case eOutside:

       thecurve.SetPoints(aPoints[0].x,aPoints[0].y,aPoints[1].x,aPoints[1].y,aPoints[2].x,aPoints[2].y);

       thecurve.SubDivide(nsnull,aPolyPath,aCurIndex);

       aC1Index = *aCurIndex;

+      if (*aCurIndex >= MAXPOLYPATHSIZE)

+        return;

       aPolyPath[*aCurIndex].x = (nscoord)aPoints[3].x;

       aPolyPath[*aCurIndex].y = (nscoord)aPoints[3].y;

       (*aCurIndex)++;

+      if (*aCurIndex >= MAXPOLYPATHSIZE)

+        return;

       thecurve.SetPoints(aPoints[3].x,aPoints[3].y,aPoints[4].x,aPoints[4].y,aPoints[5].x,aPoints[5].y);

       thecurve.SubDivide(nsnull,aPolyPath,aCurIndex);

       break;

     case eInside:

       thecurve.SetPoints(aPoints[6].x,aPoints[6].y,aPoints[7].x,aPoints[7].y,aPoints[8].x,aPoints[8].y);

       thecurve.SubDivide(nsnull,aPolyPath,aCurIndex);

+      if (*aCurIndex >= MAXPOLYPATHSIZE)

+        return;

       aPolyPath[*aCurIndex].x = (nscoord)aPoints[9].x;

       aPolyPath[*aCurIndex].y = (nscoord)aPoints[9].y;

       (*aCurIndex)++;

+      if (*aCurIndex >= MAXPOLYPATHSIZE)

+        return;

       thecurve.SetPoints(aPoints[9].x,aPoints[9].y,aPoints[10].x,aPoints[10].y,aPoints[11].x,aPoints[11].y);

       thecurve.SubDivide(nsnull,aPolyPath,aCurIndex);

      break;

     case eCalc:

       thecurve.SetPoints( (aPoints[0].x+aPoints[11].x)/2.0f,(aPoints[0].y+aPoints[11].y)/2.0f,

                           (aPoints[1].x+aPoints[10].x)/2.0f,(aPoints[1].y+aPoints[10].y)/2.0f,

                           (aPoints[2].x+aPoints[9].x)/2.0f,(aPoints[2].y+aPoints[9].y)/2.0f);

       thecurve.SubDivide(nsnull,aPolyPath,aCurIndex);

+      if (*aCurIndex >= MAXPOLYPATHSIZE)

+        return;

       aPolyPath[*aCurIndex].x = (nscoord)((aPoints[3].x+aPoints[8].x)/2.0f);

       aPolyPath[*aCurIndex].y = (nscoord)((aPoints[3].y+aPoints[8].y)/2.0f);

       (*aCurIndex)++;

+      if (*aCurIndex >= MAXPOLYPATHSIZE)

+        return;

       thecurve.SetPoints( (aPoints[3].x+aPoints[8].x)/2.0f,(aPoints[3].y+aPoints[8].y)/2.0f,

                           (aPoints[4].x+aPoints[7].x)/2.0f,(aPoints[4].y+aPoints[7].y)/2.0f,

                           (aPoints[5].x+aPoints[6].x)/2.0f,(aPoints[5].y+aPoints[6].y)/2.0f);

       thecurve.SubDivide(nsnull,aPolyPath,aCurIndex);

       break;

     case eCalcRev:

       thecurve.SetPoints( (aPoints[5].x+aPoints[6].x)/2.0f,(aPoints[5].y+aPoints[6].y)/2.0f,

                           (aPoints[4].x+aPoints[7].x)/2.0f,(aPoints[4].y+aPoints[7].y)/2.0f,

                           (aPoints[3].x+aPoints[8].x)/2.0f,(aPoints[3].y+aPoints[8].y)/2.0f);

       thecurve.SubDivide(nsnull,aPolyPath,aCurIndex);

       aPolyPath[*aCurIndex].x = (nscoord)((aPoints[2].x+aPoints[9].x)/2.0f);

       aPolyPath[*aCurIndex].y = (nscoord)((aPoints[2].y+aPoints[9].y)/2.0f);

       (*aCurIndex)++;

+      if (*aCurIndex >= MAXPOLYPATHSIZE)

+        return;

       thecurve.SetPoints( (aPoints[2].x+aPoints[9].x)/2.0f,(aPoints[2].y+aPoints[9].y)/2.0f,

                           (aPoints[1].x+aPoints[10].x)/2.0f,(aPoints[1].y+aPoints[10].y)/2.0f,

                           (aPoints[0].x+aPoints[11].x)/2.0f,(aPoints[0].y+aPoints[11].y)/2.0f);

       thecurve.SubDivide(nsnull,aPolyPath,aCurIndex);

       break;

   } 

 }

 

 /** ---------------------------------------------------

  *  See documentation in nsCSSRendering.h

  *  @update 4/13/99 dwc

  */

 void 

 QBCurve::SubDivide(nsIRenderingContext *aRenderingContext,nsPoint aPointArray[],PRInt32 *aCurIndex)

 {

-QBCurve   curve1,curve2;

-float     fx,fy,smag;

-

+  QBCurve   curve1,curve2;

+  float     fx,fy,smag, oldfx, oldfy, oldsmag;

+  

+  if (*aCurIndex >= MAXPOLYPATHSIZE)

+    return;

+  

+  oldfx = (this->mAnc1.x + this->mAnc2.x)/2.0f - this->mCon.x;

+  oldfy = (this->mAnc1.y + this->mAnc2.y)/2.0f - this->mCon.y;

+  oldsmag = oldfx * oldfx + oldfy * oldfy;

   // divide the curve into 2 pieces

   MidPointDivide(&curve1,&curve2);

 

   fx = (float)fabs(curve1.mAnc2.x - this->mCon.x);

   fy = (float)fabs(curve1.mAnc2.y - this->mCon.y);

 

   //smag = fx+fy-(PR_MIN(fx,fy)>>1);

   smag = fx*fx + fy*fy;

  

   if (smag>1){

+    if (smag + 0.2 > oldsmag)

+      return; // we did not get closer

     // split the curve again

     curve1.SubDivide(aRenderingContext,aPointArray,aCurIndex);

     curve2.SubDivide(aRenderingContext,aPointArray,aCurIndex);

   }else{

     if(aPointArray ) {

       // save the points for further processing

       aPointArray[*aCurIndex].x = (nscoord)curve1.mAnc2.x;

       aPointArray[*aCurIndex].y = (nscoord)curve1.mAnc2.y;

       (*aCurIndex)++;

+      if (*aCurIndex >= MAXPOLYPATHSIZE)

+        return;

       aPointArray[*aCurIndex].x = (nscoord)curve2.mAnc2.x;

       aPointArray[*aCurIndex].y = (nscoord)curve2.mAnc2.y;

       (*aCurIndex)++;

     }else{

       // draw the curve 

       nsTransform2D *aTransform;

       aRenderingContext->GetCurrentTransform(aTransform);

 

