diff options
| author | Allan Sandfeld Jensen <allan.jensen@digia.com> | 2013-01-23 11:52:54 +0100 |
|---|---|---|
| committer | The Qt Project <gerrit-noreply@qt-project.org> | 2013-01-23 12:45:19 +0100 |
| commit | 3a94b1a765225089e710e11626ecee20de516ec6 (patch) | |
| tree | d7a86d6634b9f274a556d9504c1a48f70177d5cd /Source | |
| parent | 28b2bb706534bc641f475dbc3e5cf32b9f39fb8c (diff) | |
| download | qtwebkit-3a94b1a765225089e710e11626ecee20de516ec6.tar.gz | |
Fixing memory read after free in CanvasRenderingContext2D::accessFont
https://bugs.webkit.org/show_bug.cgi?id=106244
Reviewed by Abhishek Arya.
Using a temporary String object to hold ref count on string that is
passed by reference in CanvasRenderingContext2D::accessFont.
Test: fast/canvas/canvas-measureText.html
* html/canvas/CanvasRenderingContext2D.cpp:
(WebCore::CanvasRenderingContext2D::accessFont):
Change-Id: Icfab9c7b7e870af9ca9ba05a1b803b51a9a329ad
Reviewed-by: Zeno Albisser <zeno.albisser@digia.com>
Diffstat (limited to 'Source')
| -rw-r--r-- | Source/WebCore/ChangeLog | 15 | ||||
| -rw-r--r-- | Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp | 9 |
2 files changed, 22 insertions, 2 deletions
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index 1117245f6..80c72adf5 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,18 @@ +2013-01-07 Justin Novosad <junov@google.com> + + Fixing memory read after free in CanvasRenderingContext2D::accessFont + https://bugs.webkit.org/show_bug.cgi?id=106244 + + Reviewed by Abhishek Arya. + + Using a temporary String object to hold ref count on string that is + passed by reference in CanvasRenderingContext2D::accessFont. + + Test: fast/canvas/canvas-measureText.html + + * html/canvas/CanvasRenderingContext2D.cpp: + (WebCore::CanvasRenderingContext2D::accessFont): + 2013-01-17 Poul Sysolyatin <psytonx@gmail.com> 32-bit build for Qt5 on Mac OS fails. diff --git a/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp b/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp index 3eb38a105..8899830c0 100644 --- a/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp +++ b/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp @@ -2363,8 +2363,13 @@ const Font& CanvasRenderingContext2D::accessFont() { canvas()->document()->updateStyleIfNeeded(); - if (!state().m_realizedFont) - setFont(state().m_unparsedFont); + if (!state().m_realizedFont) { + // Create temporary string object to hold ref count in case + // state().m_unparsedFont in unreffed by call to realizeSaves in + // setFont. + String unparsedFont(state().m_unparsedFont); + setFont(unparsedFont); + } return state().m_font; } |