Skip to content

GitLab

T
tangled
Commit 88ab925e authored by svillar@igalia.com's avatar svillar@igalia.com
Browse files
Options

[CSS Grid Layout] Heap-buffer-overflow in std::sort() 

r179621 added support to handle infinite sizes to the
sortByGridTrackGrowthPotential() sorting function. The problem is that it broke
the strict weak ordering required by std::sort when the compared items had both
infinite maximum sizes, so the algorithm was going nuts.

BUG=401983, 402508, 402757

Review URL: https://codereview.chromium.org/493093002

git-svn-id: svn://svn.chromium.org/blink/trunk@181634 bbb929c8-8fbe-4397-9dbb-9b2b20218538
parent 88e3c00c
Hide whitespace changes
Inline Side-by-side
Showing with 26 additions and 4 deletions
third_party/WebKit/LayoutTests/fast/css-grid-layout/grid-strict-ordering-crash-2-expected.txt 0 → 100644
View file @ 88ab925e
if (window.testRunner) testRunner.dumpAsText();
body { grid-column-end:span 200; } * { display:inline-grid; grid-column-start:foo; }
This test has PASSED if it does not CRASH.
third_party/WebKit/LayoutTests/fast/css-grid-layout/grid-strict-ordering-crash-2.html 0 → 100644
View file @ 88ab925e
<!DOCTYPE html>
<script>
if (window.testRunner)
testRunner.dumpAsText();
</script>
<li></li>
<style>
body {
grid-column-end:span 200;
}
* {
display:inline-grid;
grid-column-start:foo;
}
</style>
<p><br>This test has PASSED if it does not CRASH.</p>
third_party/WebKit/Source/core/rendering/RenderGrid.cpp
View file @ 88ab925e
......@@ -748,11 +748,13 @@ void RenderGrid::resolveContentBasedTrackSizingFunctionsForItems(GridTrackSizing
static bool sortByGridTrackGrowthPotential(const GridTrack* track1, const GridTrack* track2)
{
if (track1->m_maxBreadth == infinity)
return track2->m_maxBreadth == infinity;
// This check ensures that we respect the irreflexivity property of the strict weak ordering required by std::sort
// (forall x: NOT x < x).
if (track1->m_maxBreadth == infinity && track2->m_maxBreadth == infinity)
return false;
if (track2->m_maxBreadth == infinity)
return true;
if (track1->m_maxBreadth == infinity || track2->m_maxBreadth == infinity)
return track2->m_maxBreadth == infinity;
return (track1->m_maxBreadth - track1->m_usedBreadth) < (track2->m_maxBreadth - track2->m_usedBreadth);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment