Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(900)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/rendering/RenderTableSection.cpp

Issue 23874023: Heap-buffer-overflow in void std::__final_insertion_sort. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Review comments addressed Created 7 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « LayoutTests/fast/table/table-rowspan-crash-with-huge-rowspan-cells-2-expected.txt ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1997 Martin Jones (mjones@kde.org) 2 * Copyright (C) 1997 Martin Jones (mjones@kde.org)
3 * (C) 1997 Torben Weis (weis@kde.org) 3 * (C) 1997 Torben Weis (weis@kde.org)
4 * (C) 1998 Waldo Bastian (bastian@kde.org) 4 * (C) 1998 Waldo Bastian (bastian@kde.org)
5 * (C) 1999 Lars Knoll (knoll@kde.org) 5 * (C) 1999 Lars Knoll (knoll@kde.org)
6 * (C) 1999 Antti Koivisto (koivisto@kde.org) 6 * (C) 1999 Antti Koivisto (koivisto@kde.org)
7 * Copyright (C) 2003, 2004, 2005, 2006, 2008, 2009, 2010 Apple Inc. All rights reserved. 7 * Copyright (C) 2003, 2004, 2005, 2006, 2008, 2009, 2010 Apple Inc. All rights reserved.
8 * Copyright (C) 2006 Alexey Proskuryakov (ap@nypop.com) 8 * Copyright (C) 2006 Alexey Proskuryakov (ap@nypop.com)
9 * 9 *
10 * This library is free software; you can redistribute it and/or 10 * This library is free software; you can redistribute it and/or
(...skipping 396 matching lines...) Expand 10 before | Expand all | Expand 10 after
407 // height cell to distribute it's extra height. 407 // height cell to distribute it's extra height.
408 if (cell1->rowIndex() == cell2->rowIndex() && cell1->rowSpan() == cell2->row Span()) 408 if (cell1->rowIndex() == cell2->rowIndex() && cell1->rowSpan() == cell2->row Span())
409 return (cell1->logicalHeightForRowSizing() > cell2->logicalHeightForRowS izing()); 409 return (cell1->logicalHeightForRowSizing() > cell2->logicalHeightForRowS izing());
410 // Sorting inner most cell first because if inner spanning cell'e extra heig ht is distributed then outer 410 // Sorting inner most cell first because if inner spanning cell'e extra heig ht is distributed then outer
411 // spanning cell's extra height will adjust accordingly. In reverse order, t here is more chances that outer 411 // spanning cell's extra height will adjust accordingly. In reverse order, t here is more chances that outer
412 // spanning cell's height will exceed than defined by user. 412 // spanning cell's height will exceed than defined by user.
413 if (cellIsFullyIncludedInOtherCell(cell1, cell2)) 413 if (cellIsFullyIncludedInOtherCell(cell1, cell2))
414 return true; 414 return true;
415 // Sorting lower row index first because first we need to apply the extra he ight of spanning cell which 415 // Sorting lower row index first because first we need to apply the extra he ight of spanning cell which
416 // comes first in the table so lower rows's position would increment in sequ ence. 416 // comes first in the table so lower rows's position would increment in sequ ence.
417 if (cellIsFullyIncludedInOtherCell(cell2, cell1)) 417 if (!cellIsFullyIncludedInOtherCell(cell2, cell1))
418 return (cell1->rowIndex() < cell2->rowIndex()); 418 return (cell1->rowIndex() < cell2->rowIndex());
419 419
420 return false; 420 return false;
421 } 421 }
422 422
423 bool RenderTableSection::isHeightNeededForRowHavingOnlySpanningCells(unsigned ro w) 423 bool RenderTableSection::isHeightNeededForRowHavingOnlySpanningCells(unsigned ro w)
424 { 424 {
425 unsigned totalCols = m_grid[row].row.size(); 425 unsigned totalCols = m_grid[row].row.size();
426 426
427 if (!totalCols) 427 if (!totalCols)
(...skipping 1381 matching lines...) Expand 10 before | Expand all | Expand 10 after
1809 if (!style()->isLeftToRightDirection()) 1809 if (!style()->isLeftToRightDirection())
1810 cellLocation.setX(table()->columnPositions()[table()->numEffCols()] - ta ble()->columnPositions()[table()->colToEffCol(cell->col() + cell->colSpan())] + horizontalBorderSpacing); 1810 cellLocation.setX(table()->columnPositions()[table()->numEffCols()] - ta ble()->columnPositions()[table()->colToEffCol(cell->col() + cell->colSpan())] + horizontalBorderSpacing);
1811 else 1811 else
1812 cellLocation.setX(table()->columnPositions()[effectiveColumn] + horizont alBorderSpacing); 1812 cellLocation.setX(table()->columnPositions()[effectiveColumn] + horizont alBorderSpacing);
1813 1813
1814 cell->setLogicalLocation(cellLocation); 1814 cell->setLogicalLocation(cellLocation);
1815 view()->addLayoutDelta(oldCellLocation - cell->location()); 1815 view()->addLayoutDelta(oldCellLocation - cell->location());
1816 } 1816 }
1817 1817
1818 } // namespace WebCore 1818 } // namespace WebCore
OLDNEW
« no previous file with comments | « LayoutTests/fast/table/table-rowspan-crash-with-huge-rowspan-cells-2-expected.txt ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698