Merge changes I78ff6a85,Ic85c6405,Ibf903baa,I3a0459db,I35140385,I54790419,I6bfe5d24,Ia9f39b83,I5bcecd5a,I1de96683,I543c6810,I8a5b0878,I0ae670bf,Ide4d58dc,I28ebaf3d,I499d6631,Ie5090e0d,I6d3e5f1f

* changes:
  Merge WebKit at r78450: Update ThirdPartyProject.prop
  Merge WebKit at r78450: Add new Font::canExpandAroundIdeographsInComplexText()
  Merge WebKit at r78450: Add new ChromeClient::selectItemAlignmentFollowsMenuWritingDirection()
  Merge WebKit at r78450: FrameLoaderClient::didRunInsecureContent() signature changed
  Merge WebKit at r78450: HTMLAreaElement::getRect() renamed
  Merge WebKit at r78450: FrameLoader::url() removed
  Merge WebKit at r78450: HTMLParserQuirks removed
  Merge WebKit at r78450: TextRun::padding() renamed
  Merge WebKit at r78450: Use new FontMetrics
  Merge WebKit at r78450: GraphicsContext current path removed
  Merge WebKit at r78450: TransformationMatrix multiply methods renamed and meaning changed
  Merge WebKit at r78450: FontCustomPlatformData::fontPlatformData() signature changed
  Merge WebKit at r78450: IntRect::bottom()/right() renamed
  Merge WebKit at r78450: Fix remaining conflicts
  Merge WebKit at r78450: Fix conflicts due to new ENABLE_WEB_ARCHIVE guard
  Merge WebKit at r78450: Fix conflicts in media controls
  Merge WebKit at r78450: Fix Makefiles
  Merge WebKit at r78450: Initial merge by git.

1 files changed, 29 insertions, 8 deletions

diff --git a/Source/WebCore/platform/graphics/chromium/LayerTilerChromium.cpp b/Source/WebCore/platform/graphics/chromium/LayerTilerChromium.cpp
index 6b65e66..e28c084 100644
--- a/Source/WebCore/platform/graphics/chromium/LayerTilerChromium.cpp
+++ b/Source/WebCore/platform/graphics/chromium/LayerTilerChromium.cpp
@@ -145,8 +145,8 @@ void LayerTilerChromium::contentRectToTileIndices(const IntRect& contentRect, in
 
     left = layerRect.x() / m_tileSize.width();
     top = layerRect.y() / m_tileSize.height();
-    right = (layerRect.right() - 1) / m_tileSize.width();
-    bottom = (layerRect.bottom() - 1) / m_tileSize.height();
+    right = (layerRect.maxX() - 1) / m_tileSize.width();
+    bottom = (layerRect.maxY() - 1) / m_tileSize.height();
 }
 
 IntRect LayerTilerChromium::contentRectToLayerRect(const IntRect& contentRect) const
@@ -272,7 +272,11 @@ void LayerTilerChromium::update(TilePaintInterface& painter, const IntRect& cont
     // Get the contents of the updated rect.
     const SkBitmap& bitmap = canvas->getDevice()->accessBitmap(false);
     ASSERT(bitmap.width() == paintRect.width() && bitmap.height() == paintRect.height());
+    if (bitmap.width() != paintRect.width() || bitmap.height() != paintRect.height())
+        CRASH();
     uint8_t* paintPixels = static_cast<uint8_t*>(bitmap.getPixels());
+    if (!paintPixels)
+        CRASH();
 #elif PLATFORM(CG)
     Vector<uint8_t> canvasPixels;
     int rowBytes = 4 * paintRect.width();
@@ -299,9 +303,15 @@ void LayerTilerChromium::update(TilePaintInterface& painter, const IntRect& cont
 #error "Need to implement for your platform."
 #endif
 
+    // Painting could cause compositing to get turned off, which may cause the tiler to become invalidated mid-update.
+    if (!m_tiles.size())
+        return;
+
     for (int j = top; j <= bottom; ++j) {
         for (int i = left; i <= right; ++i) {
             Tile* tile = m_tiles[tileIndex(i, j)].get();
+            if (!tile)
+                CRASH();
             if (!tile->dirty())
                 continue;
 
@@ -320,13 +330,21 @@ void LayerTilerChromium::update(TilePaintInterface& painter, const IntRect& cont
 
             // Calculate tile-space rectangle to upload into.
             IntRect destRect(IntPoint(sourceRect.x() - anchor.x(), sourceRect.y() - anchor.y()), sourceRect.size());
-            ASSERT(destRect.x() >= 0);
-            ASSERT(destRect.y() >= 0);
+            if (destRect.x() < 0)
+                CRASH();
+            if (destRect.y() < 0)
+                CRASH();
 
             // Offset from paint rectangle to this tile's dirty rectangle.
             IntPoint paintOffset(sourceRect.x() - paintRect.x(), sourceRect.y() - paintRect.y());
-            ASSERT(paintOffset.x() >= 0);
-            ASSERT(paintOffset.y() >= 0);
+            if (paintOffset.x() < 0)
+                CRASH();
+            if (paintOffset.y() < 0)
+                CRASH();
+            if (paintOffset.x() + destRect.width() > paintRect.width())
+                CRASH();
+            if (paintOffset.y() + destRect.height() > paintRect.height())
+                CRASH();
 
             uint8_t* pixelSource;
             if (paintRect.width() == sourceRect.width() && !paintOffset.x())
@@ -357,7 +375,7 @@ void LayerTilerChromium::setLayerPosition(const IntPoint& layerPosition)
 
 void LayerTilerChromium::draw(const IntRect& contentRect)
 {
-    if (m_skipsDraw)
+    if (m_skipsDraw || !m_tiles.size())
         return;
 
     // We reuse the shader program used by ContentLayerChromium.
@@ -394,6 +412,9 @@ void LayerTilerChromium::resizeLayer(const IntSize& size)
     int width = (size.width() + m_tileSize.width() - 1) / m_tileSize.width();
     int height = (size.height() + m_tileSize.height() - 1) / m_tileSize.height();
 
+    if (height && (width > INT_MAX / height))
+        CRASH();
+
     Vector<OwnPtr<Tile> > newTiles;
     newTiles.resize(width * height);
     for (int j = 0; j < m_layerTileSize.height(); ++j)
@@ -409,7 +430,7 @@ void LayerTilerChromium::growLayerToContain(const IntRect& contentRect)
 {
     // Grow the tile array to contain this content rect.
     IntRect layerRect = contentRectToLayerRect(contentRect);
-    IntSize layerSize = IntSize(layerRect.right(), layerRect.bottom());
+    IntSize layerSize = IntSize(layerRect.maxX(), layerRect.maxY());
 
     IntSize newSize = layerSize.expandedTo(m_layerSize);
     resizeLayer(newSize);