Changeset 138994 in webkit

Timestamp:

Jan 7, 2013, 2:56:02 PM (12 years ago)

Author:

junov@google.com

Message:

Fixing memory read after free in CanvasRenderingContext2D::accessFont
​https://bugs.webkit.org/show_bug.cgi?id=106244

Reviewed by Abhishek Arya.

Source/WebCore:

Using a temporary String object to hold ref count on string that is
passed by reference in CanvasRenderingContext2D::accessFont.

Test: fast/canvas/canvas-measureText.html

• html/canvas/CanvasRenderingContext2D.cpp:

(WebCore::CanvasRenderingContext2D::accessFont):

LayoutTests:

New test case to verify stability of 2D canvas method measureText.
Test case was causing a DumpRenderTree crash on builds with
AddressSantitizer instrumentation.

• fast/canvas/canvas-measureText-expected.txt: Added.
• fast/canvas/canvas-measureText.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/canvas/canvas-measureText-expected.txt (added)
• LayoutTests/fast/canvas/canvas-measureText.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-01-07  Justin Novosad  <junov@google.com>
+
+        Fixing memory read after free in CanvasRenderingContext2D::accessFont
+        https://bugs.webkit.org/show_bug.cgi?id=106244
+
+        Reviewed by Abhishek Arya.
+
+        New test case to verify stability of 2D canvas method measureText.
+        Test case was causing a DumpRenderTree crash on builds with
+        AddressSantitizer instrumentation.
+
+        * fast/canvas/canvas-measureText-expected.txt: Added.
+        * fast/canvas/canvas-measureText.html: Added.
+
 2013-01-07  Abhishek Arya  <inferno@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-01-07  Justin Novosad  <junov@google.com>
+
+        Fixing memory read after free in CanvasRenderingContext2D::accessFont
+        https://bugs.webkit.org/show_bug.cgi?id=106244
+
+        Reviewed by Abhishek Arya.
+
+        Using a temporary String object to hold ref count on string that is
+        passed by reference in CanvasRenderingContext2D::accessFont.
+
+        Test: fast/canvas/canvas-measureText.html
+
+        * html/canvas/CanvasRenderingContext2D.cpp:
+        (WebCore::CanvasRenderingContext2D::accessFont):
+
 2013-01-07  Anders Carlsson  <andersca@apple.com>
 

trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp

@@ -2374 +2374 @@
     canvas()->document()->updateStyleIfNeeded();
 
-    if (!state().m_realizedFont)
-        setFont(state().m_unparsedFont);
+    if (!state().m_realizedFont) {
+        // Create temporary string object to hold ref count in case
+        // state().m_unparsedFont in unreffed by call to realizeSaves in
+        // setFont.
+        String unparsedFont(state().m_unparsedFont);
+        setFont(unparsedFont);
+    }
     return state().m_font;
 }