Title: [103453] branches/safari-534.54-branch/Source/WebCore
Diff
Modified: branches/safari-534.54-branch/Source/WebCore/ChangeLog (103452 => 103453)
--- branches/safari-534.54-branch/Source/WebCore/ChangeLog 2011-12-21 22:34:29 UTC (rev 103452)
+++ branches/safari-534.54-branch/Source/WebCore/ChangeLog 2011-12-21 22:35:02 UTC (rev 103453)
@@ -1,5 +1,29 @@
2011-12-21 Lucas Forschler <[email protected]>
+ Merge 95010
+
+ 2011-09-12 Adam Klein <[email protected]>
+
+ Fix out-of-bounds access in Gradient::sortStopsIfNecessary
+ https://bugs.webkit.org/show_bug.cgi?id=67958
+
+ Reviewed by Darin Adler.
+
+ Reported by Valgrind in http://crbug.com/77049.
+
+ The errant code was added as an optimization in r67804.
+ This patch reverts that one, as all parties agree that the optimization
+ doesn't seem worthwhile, and there clearly aren't any tests covering
+ the special case.
+
+ No new tests, as existing tests should cover the remaining call to
+ |std::stable_sort|.
+
+ * platform/graphics/Gradient.cpp:
+ (WebCore::Gradient::sortStopsIfNecessary):
+
+2011-12-21 Lucas Forschler <[email protected]>
+
Merge 94991
2011-09-12 Dan Bernstein <[email protected]>
Modified: branches/safari-534.54-branch/Source/WebCore/platform/graphics/Gradient.cpp (103452 => 103453)
--- branches/safari-534.54-branch/Source/WebCore/platform/graphics/Gradient.cpp 2011-12-21 22:34:29 UTC (rev 103452)
+++ branches/safari-534.54-branch/Source/WebCore/platform/graphics/Gradient.cpp 2011-12-21 22:35:02 UTC (rev 103453)
@@ -124,10 +124,6 @@
if (!m_stops.size())
return;
- // Shortcut for the ideal case (ordered 2-stop gradient)
- if (m_stops.size() == 2 && compareStops(*m_stops.begin(), *m_stops.end()))
- return;
-
std::stable_sort(m_stops.begin(), m_stops.end(), compareStops);
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
