Skip to site navigation (Press enter)

[webkit-changes] [139144] trunk/Source/WebCore

junov Tue, 08 Jan 2013 18:28:21 -0800

Title: [139144] trunk/Source/WebCore

Revision: 139144
Author: ju...@google.com
Date: 2013-01-08 18:30:03 -0800 (Tue, 08 Jan 2013)

Log Message

CanvasRenderingContext2D::setFont argument may reference destroyed object
https://bugs.webkit.org/show_bug.cgi?id=106385


Reviewed by Abhishek Arya.

No new tests: covered by fast/canvas/canvas-measureText.html

This is a re-write of r138994.  Fixing bug in setFont instead of
workaround at call site.

* html/canvas/CanvasRenderingContext2D.cpp:
(WebCore::CanvasRenderingContext2D::setFont):
(WebCore::CanvasRenderingContext2D::accessFont):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (139143 => 139144)


--- trunk/Source/WebCore/ChangeLog	2013-01-09 02:28:26 UTC (rev 139143)
+++ trunk/Source/WebCore/ChangeLog	2013-01-09 02:30:03 UTC (rev 139144)
@@ -1,3 +1,19 @@
+2013-01-08  Justin Novosad  <ju...@google.com>
+
+        CanvasRenderingContext2D::setFont argument may reference destroyed object
+        https://bugs.webkit.org/show_bug.cgi?id=106385
+
+        Reviewed by Abhishek Arya.
+
+        No new tests: covered by fast/canvas/canvas-measureText.html
+
+        This is a re-write of r138994.  Fixing bug in setFont instead of
+        workaround at call site. 
+
+        * html/canvas/CanvasRenderingContext2D.cpp:
+        (WebCore::CanvasRenderingContext2D::setFont):
+        (WebCore::CanvasRenderingContext2D::accessFont):
+
 2013-01-08  David Grogan  <dgro...@chromium.org>
 
         IndexedDB: Provide LevelDB with IDBEnv instead of Env::Default

Modified: trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp (139143 => 139144)


--- trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp	2013-01-09 02:28:26 UTC (rev 139143)
+++ trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp	2013-01-09 02:30:03 UTC (rev 139144)
@@ -2088,8 +2088,9 @@
         return;
 
     // The parse succeeded.
+    String newFontSafeCopy(newFont); // Create a string copy since newFont can be deleted inside realizeSaves.
     realizeSaves();
-    modifiableState().m_unparsedFont = newFont;
+    modifiableState().m_unparsedFont = newFontSafeCopy;
 
     // Map the <canvas> font into the text style. If the font uses keywords like larger/smaller, these will work
     // relative to the canvas.
@@ -2373,13 +2374,8 @@
 {
     canvas()->document()->updateStyleIfNeeded();
 
-    if (!state().m_realizedFont) {
-        // Create temporary string object to hold ref count in case
-        // state().m_unparsedFont in unreffed by call to realizeSaves in
-        // setFont.
-        String unparsedFont(state().m_unparsedFont);
-        setFont(unparsedFont);
-    }
+    if (!state().m_realizedFont)
+        setFont(state().m_unparsedFont);
     return state().m_font;
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes