diff options
| author | Jüri Valdmann <juri.valdmann@qt.io> | 2019-09-26 15:12:29 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-09-26 15:28:26 +0000 |
| commit | aecd84f06964150987090b087318eac64c855ddb (patch) | |
| tree | 83ca3d9c28f01bb9352d2bcdc7745c4f31d8bfe1 | |
| parent | 498ed311e5bf3c19f0e8034936f4fb995409cae5 (diff) | |
| download | qtwebengine-chromium-aecd84f06964150987090b087318eac64c855ddb.tar.gz | |
Fix crash in blink::CSSSegmentedFontFace::GetFontData
Chromium assumes that it's safe to zero-initialize an std::string. It's not
though, at least not with libstdc++. That is why the std::string inside
FontFaceCreationParams inside FontCacheKey inside the WTF::HashMap inside
CSSSegmentedFontFace can cause a crash.
Fix by changing FontCacheKeyTraits to have kEmptyValueIsZero = false. This way
WTF::HashMap will actually call constructors to construct keys.
The fix reveals another crash in blink::CSSFontFaceSource::GetFontData due to a
similar issue. There a WTF::LinkedHashSet is used with FontCacheKey. The change
to FontCacheKeyTraits should prevent this crash, but it turns out that
WTF::LinkedHashSet itself is buggy because it completely ignores
kEmptyValueIsZero and zeros the key anyway.
Fix by changing LinkedHashSetTraits to take into account the kEmptyValueIsZero
of the LinkedHashSet's value type traits.
Change-Id: I7947399a98f2abd45c10ade664db76bf7d210c5e
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/platform/fonts/font_cache_key.h | 3 | ||||
| -rw-r--r-- | chromium/third_party/blink/renderer/platform/wtf/linked_hash_set.h | 7 |
2 files changed, 8 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/platform/fonts/font_cache_key.h b/chromium/third_party/blink/renderer/platform/fonts/font_cache_key.h index 0efc8fb9094..3f4a6d2af9a 100644 --- a/chromium/third_party/blink/renderer/platform/fonts/font_cache_key.h +++ b/chromium/third_party/blink/renderer/platform/fonts/font_cache_key.h @@ -133,6 +133,9 @@ struct FontCacheKeyHash { struct FontCacheKeyTraits : WTF::SimpleClassHashTraits<FontCacheKey> { STATIC_ONLY(FontCacheKeyTraits); + // There is an std::string in FontFaceCreationParams and with libstdc++ we + // cannot safely zero-initialize std::strings. + static const bool kEmptyValueIsZero = false; }; } // namespace blink diff --git a/chromium/third_party/blink/renderer/platform/wtf/linked_hash_set.h b/chromium/third_party/blink/renderer/platform/wtf/linked_hash_set.h index b35b6e95f1e..842bf7e2651 100644 --- a/chromium/third_party/blink/renderer/platform/wtf/linked_hash_set.h +++ b/chromium/third_party/blink/renderer/platform/wtf/linked_hash_set.h @@ -141,6 +141,9 @@ class LinkedHashSetNode : public LinkedHashSetNodeBase { DISALLOW_NEW(); public: + LinkedHashSetNode() + : LinkedHashSetNodeBase(nullptr, nullptr) {} + LinkedHashSetNode(const ValueArg& value, LinkedHashSetNodeBase* prev, LinkedHashSetNodeBase* next) @@ -444,8 +447,8 @@ struct LinkedHashSetTraits typedef ValueTraitsArg ValueTraits; // The slot is empty when the next_ field is zero so it's safe to zero - // the backing. - static const bool kEmptyValueIsZero = true; + // the backing, as long as it's also safe to zero the value. + static const bool kEmptyValueIsZero = ValueTraits::kEmptyValueIsZero; static const bool kHasIsEmptyValueFunction = true; static bool IsEmptyValue(const Node& node) { return !node.next_; } |