2011-02-09 Abhishek Arya <inferno@chromium.org>

        Reviewed by James Robinson.

        [Chromium] Issue 72387: Integer bounds crash in LayerTilerChromium::resizeLayer
        https://bugs.webkit.org/show_bug.cgi?id=54132
 
        * platform/graphics/chromium/LayerTilerChromium.cpp:
        (WebCore::LayerTilerChromium::resizeLayer):


git-svn-id: svn://svn.chromium.org/blink/trunk@78143 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/Source/WebCore/ChangeLog

+2011-02-09  Abhishek Arya  <inferno@chromium.org>
+
+        Reviewed by James Robinson.
+
+        [Chromium] Issue 72387: Integer bounds crash in LayerTilerChromium::resizeLayer
+        https://bugs.webkit.org/show_bug.cgi?id=54132
+ 
+        * platform/graphics/chromium/LayerTilerChromium.cpp:
+        (WebCore::LayerTilerChromium::resizeLayer):
+
 2011-02-09  Xiyuan Xia  <xiyuan@chromium.org>
 
         Reviewed by Tony Chang.

third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerTilerChromium.cpp

@@ -412,6 +412,9 @@ void LayerTilerChromium::resizeLayer(const IntSize& size)
     int width = (size.width() + m_tileSize.width() - 1) / m_tileSize.width();
     int height = (size.height() + m_tileSize.height() - 1) / m_tileSize.height();
 
+    if (height && (width > INT_MAX / height))
+        CRASH();
+
     Vector<OwnPtr<Tile> > newTiles;
     newTiles.resize(width * height);
     for (int j = 0; j < m_layerTileSize.height(); ++j)