Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(114)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/rendering/RenderGrid.cpp

Issue 493093002: [CSS Grid Layout] Heap-buffer-overflow in std::sort() (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Created 6 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « LayoutTests/fast/css-grid-layout/grid-strict-ordering-crash-2-expected.txt ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011 Apple Inc. All rights reserved. 2 * Copyright (C) 2011 Apple Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 724 matching lines...) Expand 10 before | Expand all | Expand 10 after
735 // FIXME: We should pass different values for |tracksForGrowthAboveMaxBreadt h|. 735 // FIXME: We should pass different values for |tracksForGrowthAboveMaxBreadt h|.
736 736
737 // Specs mandate to floor additionalBreadthSpace (extra-space in specs) to 0 . Instead we directly avoid the function 737 // Specs mandate to floor additionalBreadthSpace (extra-space in specs) to 0 . Instead we directly avoid the function
738 // call in those cases as it will be a noop in terms of track sizing. 738 // call in those cases as it will be a noop in terms of track sizing.
739 if (additionalBreadthSpace > 0) 739 if (additionalBreadthSpace > 0)
740 distributeSpaceToTracks(sizingData.filteredTracks, &sizingData.filteredT racks, trackGetter, trackGrowthFunction, sizingData, additionalBreadthSpace); 740 distributeSpaceToTracks(sizingData.filteredTracks, &sizingData.filteredT racks, trackGetter, trackGrowthFunction, sizingData, additionalBreadthSpace);
741 } 741 }
742 742
743 static bool sortByGridTrackGrowthPotential(const GridTrack* track1, const GridTr ack* track2) 743 static bool sortByGridTrackGrowthPotential(const GridTrack* track1, const GridTr ack* track2)
744 { 744 {
745 if (track1->m_maxBreadth == infinity) 745 if (track1->m_maxBreadth == infinity && track2->m_maxBreadth == infinity)
Julien - ping for review 2014/09/08 21:10:13 We should probably add a comment about how this ma
746 return false;
747
748 if (track1->m_maxBreadth == infinity || track2->m_maxBreadth == infinity)
746 return track2->m_maxBreadth == infinity; 749 return track2->m_maxBreadth == infinity;
747 750
748 if (track2->m_maxBreadth == infinity)
749 return true;
750
751 return (track1->m_maxBreadth - track1->m_usedBreadth) < (track2->m_maxBreadt h - track2->m_usedBreadth); 751 return (track1->m_maxBreadth - track1->m_usedBreadth) < (track2->m_maxBreadt h - track2->m_usedBreadth);
752 } 752 }
753 753
754 void RenderGrid::distributeSpaceToTracks(Vector<GridTrack*>& tracks, Vector<Grid Track*>* tracksForGrowthAboveMaxBreadth, AccumulatorGetter trackGetter, Accumula torGrowFunction trackGrowthFunction, GridSizingData& sizingData, LayoutUnit& ava ilableLogicalSpace) 754 void RenderGrid::distributeSpaceToTracks(Vector<GridTrack*>& tracks, Vector<Grid Track*>* tracksForGrowthAboveMaxBreadth, AccumulatorGetter trackGetter, Accumula torGrowFunction trackGrowthFunction, GridSizingData& sizingData, LayoutUnit& ava ilableLogicalSpace)
755 { 755 {
756 ASSERT(availableLogicalSpace > 0); 756 ASSERT(availableLogicalSpace > 0);
757 std::sort(tracks.begin(), tracks.end(), sortByGridTrackGrowthPotential); 757 std::sort(tracks.begin(), tracks.end(), sortByGridTrackGrowthPotential);
758 758
759 size_t tracksSize = tracks.size(); 759 size_t tracksSize = tracks.size();
760 sizingData.distributeTrackVector.resize(tracksSize); 760 sizingData.distributeTrackVector.resize(tracksSize);
(...skipping 662 matching lines...) Expand 10 before | Expand all | Expand 10 after
1423 if (isOutOfFlowPositioned()) 1423 if (isOutOfFlowPositioned())
1424 return "RenderGrid (positioned)"; 1424 return "RenderGrid (positioned)";
1425 if (isAnonymous()) 1425 if (isAnonymous())
1426 return "RenderGrid (generated)"; 1426 return "RenderGrid (generated)";
1427 if (isRelPositioned()) 1427 if (isRelPositioned())
1428 return "RenderGrid (relative positioned)"; 1428 return "RenderGrid (relative positioned)";
1429 return "RenderGrid"; 1429 return "RenderGrid";
1430 } 1430 }
1431 1431
1432 } // namespace blink 1432 } // namespace blink
OLDNEW
« no previous file with comments | « LayoutTests/fast/css-grid-layout/grid-strict-ordering-crash-2-expected.txt ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698