[CSS Grid Layout] Heap-buffer-overflow in std::sort()

Source/core/rendering/RenderGrid.cpp

Index: Source/core/rendering/RenderGrid.cpp
diff --git a/Source/core/rendering/RenderGrid.cpp b/Source/core/rendering/RenderGrid.cpp
index 4f474611800d3c8b62ce686754120dfe0f489ba7..609d324dc5a4b0631b29a9dcba7c3b5eee0fa04e 100644
--- a/Source/core/rendering/RenderGrid.cpp
+++ b/Source/core/rendering/RenderGrid.cpp
@@ -742,11 +742,11 @@ void RenderGrid::resolveContentBasedTrackSizingFunctionsForItems(GridTrackSizing
 
 static bool sortByGridTrackGrowthPotential(const GridTrack* track1, const GridTrack* track2)
 {
-    if (track1->m_maxBreadth == infinity)
-        return track2->m_maxBreadth == infinity;
+    if (track1->m_maxBreadth == infinity && track2->m_maxBreadth == infinity)

[Julien - ping for review, 2014/09/08 21:10:13]

We should probably add a comment about how this makes us very the irreflexivity
property of the weak ordering (x < x is false for all x).

+        return false;
 
-    if (track2->m_maxBreadth == infinity)
-        return true;
+    if (track1->m_maxBreadth == infinity || track2->m_maxBreadth == infinity)
+        return track2->m_maxBreadth == infinity;
 
     return (track1->m_maxBreadth - track1->m_usedBreadth) < (track2->m_maxBreadth - track2->m_usedBreadth);
 }