Title: [141810] trunk
- Revision
- 141810
- Author
- [email protected]
- Date
- 2013-02-04 14:18:00 -0800 (Mon, 04 Feb 2013)
Log Message
[CSS Grid Layout] Heap-buffer-overflow in std::sort
https://bugs.webkit.org/show_bug.cgi?id=108834
Reviewed by Abhishek Arya.
Source/WebCore:
Test: fast/css-grid-layout/grid-strict-ordering-crash.html
* rendering/RenderGrid.cpp:
(WebCore::sortByGridTrackGrowthPotential):
The std::sort documentation says that this function should define a *strict* weak ordering. Fixed the strict
part of the ordering. Also moved the function definition next to where it is needed and made the GridTrack
argument const (as it shouldn't modify them or std::sort will misbehave).
* rendering/RenderGrid.cpp:
(WebCore::sortByGridTrackGrowthPotential):
(WebCore):
LayoutTests:
* fast/css-grid-layout/grid-strict-ordering-crash-expected.txt: Added.
* fast/css-grid-layout/grid-strict-ordering-crash.html: Added.
The test requires a column / row index above the Vector inline capacity to work (which is currently 16).
The values are much higher in case we decide to bump the inline capacity.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (141809 => 141810)
--- trunk/LayoutTests/ChangeLog 2013-02-04 22:13:39 UTC (rev 141809)
+++ trunk/LayoutTests/ChangeLog 2013-02-04 22:18:00 UTC (rev 141810)
@@ -1,3 +1,15 @@
+2013-02-04 Julien Chaffraix <[email protected]>
+
+ [CSS Grid Layout] Heap-buffer-overflow in std::sort
+ https://bugs.webkit.org/show_bug.cgi?id=108834
+
+ Reviewed by Abhishek Arya.
+
+ * fast/css-grid-layout/grid-strict-ordering-crash-expected.txt: Added.
+ * fast/css-grid-layout/grid-strict-ordering-crash.html: Added.
+ The test requires a column / row index above the Vector inline capacity to work (which is currently 16).
+ The values are much higher in case we decide to bump the inline capacity.
+
2013-02-04 Dima Gorbik <[email protected]>
class="cue" is getting some default style
Added: trunk/LayoutTests/fast/css-grid-layout/grid-strict-ordering-crash-expected.txt (0 => 141810)
--- trunk/LayoutTests/fast/css-grid-layout/grid-strict-ordering-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css-grid-layout/grid-strict-ordering-crash-expected.txt 2013-02-04 22:18:00 UTC (rev 141810)
@@ -0,0 +1,5 @@
+Bug 108834: [CSS Grid Layout] Heap-buffer-overflow in std::sort
+
+This test has PASSED if it doesn't CRASH.
+
+
Added: trunk/LayoutTests/fast/css-grid-layout/grid-strict-ordering-crash.html (0 => 141810)
--- trunk/LayoutTests/fast/css-grid-layout/grid-strict-ordering-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css-grid-layout/grid-strict-ordering-crash.html 2013-02-04 22:18:00 UTC (rev 141810)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<script>
+ if (window.testRunner) {
+ testRunner.overridePreference("WebKitCSSGridLayoutEnabled", 1);
+ testRunner.dumpAsText();
+ }
+</script>
+<link href="" rel=stylesheet>
+<p><a href="" 108834</a>: [CSS Grid Layout] Heap-buffer-overflow in std::sort</p>
+<p>This test has PASSED if it doesn't CRASH.</p>
+<div class="grid">
+ <div style="-webkit-grid-column: 100;"></div>
+ <div style="-webkit-grid-row: 30;"></div>
+</div>
Modified: trunk/Source/WebCore/ChangeLog (141809 => 141810)
--- trunk/Source/WebCore/ChangeLog 2013-02-04 22:13:39 UTC (rev 141809)
+++ trunk/Source/WebCore/ChangeLog 2013-02-04 22:18:00 UTC (rev 141810)
@@ -1,3 +1,22 @@
+2013-02-04 Julien Chaffraix <[email protected]>
+
+ [CSS Grid Layout] Heap-buffer-overflow in std::sort
+ https://bugs.webkit.org/show_bug.cgi?id=108834
+
+ Reviewed by Abhishek Arya.
+
+ Test: fast/css-grid-layout/grid-strict-ordering-crash.html
+
+ * rendering/RenderGrid.cpp:
+ (WebCore::sortByGridTrackGrowthPotential):
+ The std::sort documentation says that this function should define a *strict* weak ordering. Fixed the strict
+ part of the ordering. Also moved the function definition next to where it is needed and made the GridTrack
+ argument const (as it shouldn't modify them or std::sort will misbehave).
+
+ * rendering/RenderGrid.cpp:
+ (WebCore::sortByGridTrackGrowthPotential):
+ (WebCore):
+
2013-02-04 Igor Oliveira <[email protected]>
[Texmap] Implement BGRA swizzling detection
Modified: trunk/Source/WebCore/rendering/RenderGrid.cpp (141809 => 141810)
--- trunk/Source/WebCore/rendering/RenderGrid.cpp 2013-02-04 22:13:39 UTC (rev 141809)
+++ trunk/Source/WebCore/rendering/RenderGrid.cpp 2013-02-04 22:18:00 UTC (rev 141810)
@@ -262,11 +262,6 @@
return valueForLength(trackLength, direction == ForColumns ? logicalWidth() : computeContentLogicalHeight(MainOrPreferredSize, style()->logicalHeight()), view());
}
-static bool sortByGridTrackGrowthPotential(GridTrack* track1, GridTrack* track2)
-{
- return (track1->m_maxBreadth - track1->m_usedBreadth) <= (track2->m_maxBreadth - track2->m_usedBreadth);
-}
-
const GridTrackSize& RenderGrid::gridTrackSize(TrackSizingDirection direction, size_t i)
{
const Vector<GridTrackSize>& trackStyles = (direction == ForColumns) ? style()->gridColumns() : style()->gridRows();
@@ -384,6 +379,11 @@
}
}
+static bool sortByGridTrackGrowthPotential(const GridTrack* track1, const GridTrack* track2)
+{
+ return (track1->m_maxBreadth - track1->m_usedBreadth) < (track2->m_maxBreadth - track2->m_usedBreadth);
+}
+
void RenderGrid::distributeSpaceToTracks(Vector<GridTrack*>& tracks, Vector<GridTrack*>* tracksForGrowthAboveMaxBreadth, AccumulatorGetter trackGetter, AccumulatorGrowFunction trackGrowthFunction, LayoutUnit& availableLogicalSpace)
{
std::sort(tracks.begin(), tracks.end(), sortByGridTrackGrowthPotential);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
