github/electron
1
1
Fork 0
mirror of https://github.com/electron/electron.git synced 2026-04-10 03:01:51 -04:00
Code Issues Packages Projects Releases Wiki Activity

chore: cherry-pick 2083e894852c from chromium (#35553)

Browse Source 
* chore: [20-x-y] cherry-pick 2083e894852c from chromium

* chore: update patches

* chore: update patches

Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
Co-authored-by: Electron Bot <electron@github.com>
This commit is contained in:
Pedro Pontes
2022-09-07 15:33:58 +02:00
committed by GitHub
parent 85ae4c4a77
commit 389911d7e2
2 changed files with 30 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
patches/chromium/.patches
View File

@@ -121,4 +121,5 @@ fix_windows_build_with_enable_plugins_false.patch
remove_default_window_title.patch
add_electron_deps_to_license_credits_file.patch
feat_add_set_can_resize_mutator.patch
cherry-pick-2083e894852c.patch
cherry-pick-51daffbf5cd8.patch

29
patches/chromium/cherry-pick-2083e894852c.patch Normal file
View File

@@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Anton Bikineev <bikineev@chromium.org>
Date: Sun, 10 Jul 2022 22:17:03 +0000
Subject: Fix heap-overflow in blink::TableLayoutAlgorithmAuto::InsertSpanCell
The CL fixes size confusion between Member<> and raw pointers.
The bug was found (and the fix was proposed) by m.cooolie@gmail.com.
Bug: 1341539
Change-Id: I99d524fd65c2d6305693d09ad274c23178271269
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3751138
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1022529}
diff --git a/third_party/blink/renderer/core/layout/table_layout_algorithm_auto.cc b/third_party/blink/renderer/core/layout/table_layout_algorithm_auto.cc
index 1e1575cf47027584a9d06d7c5f6046fa15990b10..1a4a06a4761c52b8dd9ae9052b7c51b9236694a5 100644
--- a/third_party/blink/renderer/core/layout/table_layout_algorithm_auto.cc
+++ b/third_party/blink/renderer/core/layout/table_layout_algorithm_auto.cc
@@ -673,7 +673,7 @@ void TableLayoutAlgorithmAuto::InsertSpanCell(LayoutTableCell* cell) {
span > span_cells_[pos]->ColSpan())
pos++;
memmove(span_cells_.data() + pos + 1, span_cells_.data() + pos,
- (size - pos - 1) * sizeof(LayoutTableCell*));
+ (size - pos - 1) * sizeof(decltype(span_cells_)::value_type));
span_cells_[pos] = cell;
}