[webkit-changes] [138994] trunk

Mon, 07 Jan 2013 14:54:20 -0800

Title: [138994] trunk
Revision
138994
Author
ju...@google.com
Date
2013-01-07 14:56:02 -0800 (Mon, 07 Jan 2013)

Log Message

Fixing memory read after free in CanvasRenderingContext2D::accessFont
https://bugs.webkit.org/show_bug.cgi?id=106244

Reviewed by Abhishek Arya.

Source/WebCore:

Using a temporary String object to hold ref count on string that is
passed by reference in CanvasRenderingContext2D::accessFont.

Test: fast/canvas/canvas-measureText.html

* html/canvas/CanvasRenderingContext2D.cpp:
(WebCore::CanvasRenderingContext2D::accessFont):

LayoutTests:

New test case to verify stability of 2D canvas method measureText.
Test case was causing a DumpRenderTree crash on builds with
AddressSantitizer instrumentation.

* fast/canvas/canvas-measureText-expected.txt: Added.
* fast/canvas/canvas-measureText.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (138993 => 138994)


--- trunk/LayoutTests/ChangeLog	2013-01-07 22:52:17 UTC (rev 138993)
+++ trunk/LayoutTests/ChangeLog	2013-01-07 22:56:02 UTC (rev 138994)
@@ -1,3 +1,17 @@
+2013-01-07  Justin Novosad  <ju...@google.com>
+
+        Fixing memory read after free in CanvasRenderingContext2D::accessFont
+        https://bugs.webkit.org/show_bug.cgi?id=106244
+
+        Reviewed by Abhishek Arya.
+
+        New test case to verify stability of 2D canvas method measureText.
+        Test case was causing a DumpRenderTree crash on builds with
+        AddressSantitizer instrumentation.
+
+        * fast/canvas/canvas-measureText-expected.txt: Added.
+        * fast/canvas/canvas-measureText.html: Added.
+
 2013-01-07  Abhishek Arya  <infe...@chromium.org>
 
         Heap-buffer-overflow in WebCore::RenderBlock::clone.

Added: trunk/LayoutTests/fast/canvas/canvas-measureText-expected.txt (0 => 138994)


--- trunk/LayoutTests/fast/canvas/canvas-measureText-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/canvas-measureText-expected.txt	2013-01-07 22:56:02 UTC (rev 138994)
@@ -0,0 +1,5 @@
+Regression test for bug 106244
+
+Test passes by not crashing.
+
+

Added: trunk/LayoutTests/fast/canvas/canvas-measureText.html (0 => 138994)


--- trunk/LayoutTests/fast/canvas/canvas-measureText.html	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/canvas-measureText.html	2013-01-07 22:56:02 UTC (rev 138994)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>Regression test for bug <a href=""
+<p>Test passes by not crashing.</p>
+<canvas id="test"></canvas>
+</body>
+<script>
+if (window.testRunner)
+   testRunner.dumpAsText();
+
+var canvas = document.getElementById("test");
+var context = canvas.getContext("2d");
+for (x = 0; x < 100; x++) {
+     context.restore();
+     context.save();
+     context.save();
+     context.measureText("a", 0, 0, 0);
+}
+</script>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (138993 => 138994)


--- trunk/Source/WebCore/ChangeLog	2013-01-07 22:52:17 UTC (rev 138993)
+++ trunk/Source/WebCore/ChangeLog	2013-01-07 22:56:02 UTC (rev 138994)
@@ -1,3 +1,18 @@
+2013-01-07  Justin Novosad  <ju...@google.com>
+
+        Fixing memory read after free in CanvasRenderingContext2D::accessFont
+        https://bugs.webkit.org/show_bug.cgi?id=106244
+
+        Reviewed by Abhishek Arya.
+
+        Using a temporary String object to hold ref count on string that is
+        passed by reference in CanvasRenderingContext2D::accessFont.
+
+        Test: fast/canvas/canvas-measureText.html
+
+        * html/canvas/CanvasRenderingContext2D.cpp:
+        (WebCore::CanvasRenderingContext2D::accessFont):
+
 2013-01-07  Anders Carlsson  <ander...@apple.com>
 
         DOMEvents.h should include DOMProgressEvent.h

Modified: trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp (138993 => 138994)


--- trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp	2013-01-07 22:52:17 UTC (rev 138993)
+++ trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp	2013-01-07 22:56:02 UTC (rev 138994)
@@ -2373,8 +2373,13 @@
 {
     canvas()->document()->updateStyleIfNeeded();
 
-    if (!state().m_realizedFont)
-        setFont(state().m_unparsedFont);
+    if (!state().m_realizedFont) {
+        // Create temporary string object to hold ref count in case
+        // state().m_unparsedFont in unreffed by call to realizeSaves in
+        // setFont.
+        String unparsedFont(state().m_unparsedFont);
+        setFont(unparsedFont);
+    }
     return state().m_font;
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to