Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(395)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/rendering/RenderGrid.cpp

Issue 493093002: [CSS Grid Layout] Heap-buffer-overflow in std::sort() (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Patch for landing Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « LayoutTests/fast/css-grid-layout/grid-strict-ordering-crash-2-expected.txt ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011 Apple Inc. All rights reserved. 2 * Copyright (C) 2011 Apple Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 725 matching lines...) Expand 10 before | Expand all | Expand 10 after
736 // FIXME: We should pass different values for |tracksForGrowthAboveMaxBreadt h|. 736 // FIXME: We should pass different values for |tracksForGrowthAboveMaxBreadt h|.
737 737
738 // Specs mandate to floor additionalBreadthSpace (extra-space in specs) to 0 . Instead we directly avoid the function 738 // Specs mandate to floor additionalBreadthSpace (extra-space in specs) to 0 . Instead we directly avoid the function
739 // call in those cases as it will be a noop in terms of track sizing. 739 // call in those cases as it will be a noop in terms of track sizing.
740 if (additionalBreadthSpace > 0) 740 if (additionalBreadthSpace > 0)
741 distributeSpaceToTracks(sizingData.filteredTracks, &sizingData.filteredT racks, trackGetter, trackGrowthFunction, sizingData, additionalBreadthSpace); 741 distributeSpaceToTracks(sizingData.filteredTracks, &sizingData.filteredT racks, trackGetter, trackGrowthFunction, sizingData, additionalBreadthSpace);
742 } 742 }
743 743
744 static bool sortByGridTrackGrowthPotential(const GridTrack* track1, const GridTr ack* track2) 744 static bool sortByGridTrackGrowthPotential(const GridTrack* track1, const GridTr ack* track2)
745 { 745 {
746 if (track1->m_maxBreadth == infinity) 746 // This check ensures that we respect the irreflexivity property of the stri ct weak ordering required by std::sort
747 // (forall x: NOT x < x).
748 if (track1->m_maxBreadth == infinity && track2->m_maxBreadth == infinity)
749 return false;
750
751 if (track1->m_maxBreadth == infinity || track2->m_maxBreadth == infinity)
747 return track2->m_maxBreadth == infinity; 752 return track2->m_maxBreadth == infinity;
748 753
749 if (track2->m_maxBreadth == infinity)
750 return true;
751
752 return (track1->m_maxBreadth - track1->m_usedBreadth) < (track2->m_maxBreadt h - track2->m_usedBreadth); 754 return (track1->m_maxBreadth - track1->m_usedBreadth) < (track2->m_maxBreadt h - track2->m_usedBreadth);
753 } 755 }
754 756
755 void RenderGrid::distributeSpaceToTracks(Vector<GridTrack*>& tracks, Vector<Grid Track*>* tracksForGrowthAboveMaxBreadth, AccumulatorGetter trackGetter, Accumula torGrowFunction trackGrowthFunction, GridSizingData& sizingData, LayoutUnit& ava ilableLogicalSpace) 757 void RenderGrid::distributeSpaceToTracks(Vector<GridTrack*>& tracks, Vector<Grid Track*>* tracksForGrowthAboveMaxBreadth, AccumulatorGetter trackGetter, Accumula torGrowFunction trackGrowthFunction, GridSizingData& sizingData, LayoutUnit& ava ilableLogicalSpace)
756 { 758 {
757 ASSERT(availableLogicalSpace > 0); 759 ASSERT(availableLogicalSpace > 0);
758 std::sort(tracks.begin(), tracks.end(), sortByGridTrackGrowthPotential); 760 std::sort(tracks.begin(), tracks.end(), sortByGridTrackGrowthPotential);
759 761
760 size_t tracksSize = tracks.size(); 762 size_t tracksSize = tracks.size();
761 sizingData.distributeTrackVector.resize(tracksSize); 763 sizingData.distributeTrackVector.resize(tracksSize);
(...skipping 685 matching lines...) Expand 10 before | Expand all | Expand 10 after
1447 if (isOutOfFlowPositioned()) 1449 if (isOutOfFlowPositioned())
1448 return "RenderGrid (positioned)"; 1450 return "RenderGrid (positioned)";
1449 if (isAnonymous()) 1451 if (isAnonymous())
1450 return "RenderGrid (generated)"; 1452 return "RenderGrid (generated)";
1451 if (isRelPositioned()) 1453 if (isRelPositioned())
1452 return "RenderGrid (relative positioned)"; 1454 return "RenderGrid (relative positioned)";
1453 return "RenderGrid"; 1455 return "RenderGrid";
1454 } 1456 }
1455 1457
1456 } // namespace blink 1458 } // namespace blink
OLDNEW
« no previous file with comments | « LayoutTests/fast/css-grid-layout/grid-strict-ordering-crash-2-expected.txt ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698