Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5f0480f771ba1749663a8257eafca70af17b7cec
https://github.com/WebKit/WebKit/commit/5f0480f771ba1749663a8257eafca70af17b7cec
Author: Chris Dumez <[email protected]>
Date: 2026-05-24 (Sun, 24 May 2026)
Changed paths:
A LayoutTests/fast/text/fontface-setstatus-crash-expected.txt
A LayoutTests/fast/text/fontface-setstatus-crash.html
M Source/WebCore/css/CSSFontFaceSet.cpp
M Source/WebCore/css/CSSFontFaceSet.h
M Source/WebCore/css/FontFaceSet.cpp
Log Message:
-----------
Cherry-pick 305413.664@safari-7624-branch (db05eacaeb0c). rdar://176058395
Use-after-free in CSSFontFace::setStatus and CSSFontFace::pump
https://bugs.webkit.org/show_bug.cgi?id=312202
rdar://174525579
Reviewed by Simon Fraser.
Fixed the bug by using Ref instead of std::reference_wrapper in the
return value of
CSSFontFaceSet::matchingFacesExcludingPreinstalledFonts and local
variables in
FontFaceSet::load to keep CSSFontFace objects alive long enough.
Test: fast/text/fontface-setstatus-crash.html
* LayoutTests/fast/text/fontface-setstatus-crash-expected.txt: Added.
* LayoutTests/fast/text/fontface-setstatus-crash.html: Added.
* Source/WebCore/css/CSSFontFaceSet.cpp:
(WebCore::CSSFontFaceSet::matchingFacesExcludingPreinstalledFonts):
* Source/WebCore/css/CSSFontFaceSet.h:
* Source/WebCore/css/FontFaceSet.cpp:
(WebCore::FontFaceSet::load):
Identifier: 305413.664@safari-7624-branch
Canonical link: https://commits.webkit.org/313821@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
