Properly clear m_logicallyLastRun to remove use-after-free possibility

https://bugs.webkit.org/show_bug.cgi?id=129489 Reviewed by David Hyatt. A use-after-free issue was caught in Blink because m_logicallyLastRun is not cleared when the item it points to is deleted. Clearing it turns the use-after-free into a segfault, and prevents any future use-after-frees from happening. * platform/text/BidiRunList.h: (WebCore::BidiRunList<Run>::deleteRuns): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@164876 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: Ia76a5723ea649e7a3609fc26025dd5bbd96f3302 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>
author: Bem Jones-Bey <bjonesbe@adobe.com> 2014-02-28 19:19:03 +0000
committer: Konstantin Tokarev <annulen@yandex.ru> 2016-02-01 20:59:31 +0000
commit: 999ff247a5a0ca31ba21d24933789541ca790fce (patch)
tree: d891ba83334897acc9546e6dc9cf67fadf7d7b6a
parent: bccaed38b0c7aacac12e3140ed571aa2a8fadd87 (diff)
download: qtwebkit-999ff247a5a0ca31ba21d24933789541ca790fce.tar.gz
1 files changed, 1 insertions, 3 deletions
diff --git a/Source/WebCore/platform/text/BidiRunList.h b/Source/WebCore/platform/text/BidiRunList.h
index d6db7ee49..c5d6ba648 100644
--- a/Source/WebCore/platform/text/BidiRunList.h
+++ b/Source/WebCore/platform/text/BidiRunList.h
@@ -193,9 +193,7 @@ void BidiRunList<Run>::deleteRuns()
         curr = s;
     }
 
-    m_firstRun = 0;
-    m_lastRun = 0;
-    m_runCount = 0;
+    clearWithoutDestroyingRuns();
 }
 
 template <class Run>
author	Bem Jones-Bey <bjonesbe@adobe.com>	2014-02-28 19:19:03 +0000
committer	Konstantin Tokarev <annulen@yandex.ru>	2016-02-01 20:59:31 +0000
commit	999ff247a5a0ca31ba21d24933789541ca790fce (patch)
tree	d891ba83334897acc9546e6dc9cf67fadf7d7b6a
parent	bccaed38b0c7aacac12e3140ed571aa2a8fadd87 (diff)
download	qtwebkit-999ff247a5a0ca31ba21d24933789541ca790fce.tar.gz