diff --git a/patches/chromium/.patches b/patches/chromium/.patches index 1b427285dd087..40839e0aa040e 100644 --- a/patches/chromium/.patches +++ b/patches/chromium/.patches @@ -121,4 +121,5 @@ fix_windows_build_with_enable_plugins_false.patch remove_default_window_title.patch add_electron_deps_to_license_credits_file.patch feat_add_set_can_resize_mutator.patch +cherry-pick-2083e894852c.patch cherry-pick-51daffbf5cd8.patch diff --git a/patches/chromium/cherry-pick-2083e894852c.patch b/patches/chromium/cherry-pick-2083e894852c.patch new file mode 100644 index 0000000000000..2b5e10a91ac3d --- /dev/null +++ b/patches/chromium/cherry-pick-2083e894852c.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Anton Bikineev +Date: Sun, 10 Jul 2022 22:17:03 +0000 +Subject: Fix heap-overflow in blink::TableLayoutAlgorithmAuto::InsertSpanCell + +The CL fixes size confusion between Member<> and raw pointers. + +The bug was found (and the fix was proposed) by m.cooolie@gmail.com. + +Bug: 1341539 +Change-Id: I99d524fd65c2d6305693d09ad274c23178271269 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3751138 +Reviewed-by: Kentaro Hara +Commit-Queue: Anton Bikineev +Cr-Commit-Position: refs/heads/main@{#1022529} + +diff --git a/third_party/blink/renderer/core/layout/table_layout_algorithm_auto.cc b/third_party/blink/renderer/core/layout/table_layout_algorithm_auto.cc +index 1e1575cf47027584a9d06d7c5f6046fa15990b10..1a4a06a4761c52b8dd9ae9052b7c51b9236694a5 100644 +--- a/third_party/blink/renderer/core/layout/table_layout_algorithm_auto.cc ++++ b/third_party/blink/renderer/core/layout/table_layout_algorithm_auto.cc +@@ -673,7 +673,7 @@ void TableLayoutAlgorithmAuto::InsertSpanCell(LayoutTableCell* cell) { + span > span_cells_[pos]->ColSpan()) + pos++; + memmove(span_cells_.data() + pos + 1, span_cells_.data() + pos, +- (size - pos - 1) * sizeof(LayoutTableCell*)); ++ (size - pos - 1) * sizeof(decltype(span_cells_)::value_type)); + span_cells_[pos] = cell; + } +