Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(90)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 23874023: Heap-buffer-overflow in void std::__final_insertion_sort. (Closed)

Created:
7 years, 3 months ago by a.suchit
Modified:
7 years, 2 months ago
CC:
blink-reviews, eae+blinkwatch, leviw+renderwatch, jchaffraix+rendering
Base URL:
https://chromium.googlesource.com/chromium/blink.git@master
Visibility:
Public.

Description

Heap-buffer-overflow in void std::__final_insertion_sort. It was getting crash while sorting rowspan cells. std::sort calls comparator function 2 times with same value in reverse order when first call return true for verification of result from second call which should be compulsory false. But it was not there in our comparator function. There was a mistake in comparator function. Cells should be sorted based on row indexes only when one cell is not a subpart of another cell. R=jchaffraix@chromium.org BUG=296003 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=158347

Patch Set 1 #

Total comments: 6

Patch Set 2 : Review comments addressed #

Unified diffs Side-by-side diffs Delta from patch set Stats (+85 lines, -2 lines) Patch
M LayoutTests/TestExpectations View 1 1 chunk +0 lines, -1 line 0 comments Download
A LayoutTests/fast/table/table-rowspan-crash-with-huge-rowspan-cells-2.html View 1 1 chunk +70 lines, -0 lines 0 comments Download
A LayoutTests/fast/table/table-rowspan-crash-with-huge-rowspan-cells-2-expected.txt View 1 1 chunk +14 lines, -0 lines 0 comments Download
M Source/core/rendering/RenderTableSection.cpp View 1 chunk +1 line, -1 line 0 comments Download

Messages

Total messages: 9 (0 generated)
suchit.agrawal
7 years, 3 months ago (2013-09-24 12:55:24 UTC) #1
a.suchit
With this fix, below exception should get fixed. crbug.com/285703 [ Debug ] fast/table/table-rowspan-crash-with-huge-rowspan-cells.html [ Crash ...
7 years, 3 months ago (2013-09-24 13:01:27 UTC) #2
Julien - ping for review
> But I did not updated yet file 'LayoutTests/TestExpectations' with it. Why don't we update ...
7 years, 3 months ago (2013-09-24 21:18:09 UTC) #3
a.suchit
I removed the below entry from Layout/TestExpectations. After this fix, below test case should not ...
7 years, 2 months ago (2013-09-25 06:12:48 UTC) #4
Julien - ping for review
lgtm
7 years, 2 months ago (2013-09-25 20:52:33 UTC) #5
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/a.suchit@samsung.com/23874023/13001
7 years, 2 months ago (2013-09-25 20:52:42 UTC) #6
commit-bot: I haz the power
Step "update" is always a major failure. Look at the try server FAQ for more ...
7 years, 2 months ago (2013-09-26 01:21:11 UTC) #7
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/a.suchit@samsung.com/23874023/13001
7 years, 2 months ago (2013-09-26 01:25:01 UTC) #8
commit-bot: I haz the power
7 years, 2 months ago (2013-09-26 01:53:02 UTC) #9
Message was sent while issue was closed. 
Change committed as 158347

Powered by Google App Engine
This is Rietveld 408576698