|
|
@@ -0,0 +1,29 @@
|
|
|
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
+From: Anton Bikineev <[email protected]>
|
|
|
+Date: Sun, 10 Jul 2022 22:17:03 +0000
|
|
|
+Subject: Fix heap-overflow in blink::TableLayoutAlgorithmAuto::InsertSpanCell
|
|
|
+
|
|
|
+The CL fixes size confusion between Member<> and raw pointers.
|
|
|
+
|
|
|
+The bug was found (and the fix was proposed) by [email protected].
|
|
|
+
|
|
|
+Bug: 1341539
|
|
|
+Change-Id: I99d524fd65c2d6305693d09ad274c23178271269
|
|
|
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3751138
|
|
|
+Reviewed-by: Kentaro Hara <[email protected]>
|
|
|
+Commit-Queue: Anton Bikineev <[email protected]>
|
|
|
+Cr-Commit-Position: refs/heads/main@{#1022529}
|
|
|
+
|
|
|
+diff --git a/third_party/blink/renderer/core/layout/table_layout_algorithm_auto.cc b/third_party/blink/renderer/core/layout/table_layout_algorithm_auto.cc
|
|
|
+index 1e1575cf47027584a9d06d7c5f6046fa15990b10..1a4a06a4761c52b8dd9ae9052b7c51b9236694a5 100644
|
|
|
+--- a/third_party/blink/renderer/core/layout/table_layout_algorithm_auto.cc
|
|
|
++++ b/third_party/blink/renderer/core/layout/table_layout_algorithm_auto.cc
|
|
|
+@@ -673,7 +673,7 @@ void TableLayoutAlgorithmAuto::InsertSpanCell(LayoutTableCell* cell) {
|
|
|
+ span > span_cells_[pos]->ColSpan())
|
|
|
+ pos++;
|
|
|
+ memmove(span_cells_.data() + pos + 1, span_cells_.data() + pos,
|
|
|
+- (size - pos - 1) * sizeof(LayoutTableCell*));
|
|
|
++ (size - pos - 1) * sizeof(decltype(span_cells_)::value_type));
|
|
|
+ span_cells_[pos] = cell;
|
|
|
+ }
|
|
|
+
|
Pedro Pontes