Title: [139057] branches/chromium/1271
- Revision
- 139057
- Author
- [email protected]
- Date
- 2013-01-08 07:58:03 -0800 (Tue, 08 Jan 2013)
Log Message
Merge 138994
> Fixing memory read after free in CanvasRenderingContext2D::accessFont
> https://bugs.webkit.org/show_bug.cgi?id=106244
>
> Reviewed by Abhishek Arya.
>
> Source/WebCore:
>
> Using a temporary String object to hold ref count on string that is
> passed by reference in CanvasRenderingContext2D::accessFont.
>
> Test: fast/canvas/canvas-measureText.html
>
> * html/canvas/CanvasRenderingContext2D.cpp:
> (WebCore::CanvasRenderingContext2D::accessFont):
>
> LayoutTests:
>
> New test case to verify stability of 2D canvas method measureText.
> Test case was causing a DumpRenderTree crash on builds with
> AddressSantitizer instrumentation.
>
> * fast/canvas/canvas-measureText-expected.txt: Added.
> * fast/canvas/canvas-measureText.html: Added.
>
[email protected]
Modified Paths
Added Paths
Diff
Modified: branches/chromium/1271/LayoutTests/ChangeLog (139056 => 139057)
--- branches/chromium/1271/LayoutTests/ChangeLog 2013-01-08 15:26:51 UTC (rev 139056)
+++ branches/chromium/1271/LayoutTests/ChangeLog 2013-01-08 15:58:03 UTC (rev 139057)
@@ -1,5 +1,19 @@
-2012-10-01 Keishi Hattori <[email protected]>
+2013-01-07 Justin Novosad <[email protected]>
+ Fixing memory read after free in CanvasRenderingContext2D::accessFont
+ https://bugs.webkit.org/show_bug.cgi?id=106244
+
+ Reviewed by Abhishek Arya.
+
+ New test case to verify stability of 2D canvas method measureText.
+ Test case was causing a DumpRenderTree crash on builds with
+ AddressSantitizer instrumentation.
+
+ * fast/canvas/canvas-measureText-expected.txt: Added.
+ * fast/canvas/canvas-measureText.html: Added.
+
+2013-01-07 Abhishek Arya <[email protected]>
+
REGRESSION(r127727): Calendar picker is ignoring step
https://bugs.webkit.org/show_bug.cgi?id=97893
Copied: branches/chromium/1271/LayoutTests/fast/canvas/canvas-measureText-expected.txt (from rev 138994, trunk/LayoutTests/fast/canvas/canvas-measureText-expected.txt) (0 => 139057)
--- branches/chromium/1271/LayoutTests/fast/canvas/canvas-measureText-expected.txt (rev 0)
+++ branches/chromium/1271/LayoutTests/fast/canvas/canvas-measureText-expected.txt 2013-01-08 15:58:03 UTC (rev 139057)
@@ -0,0 +1,5 @@
+Regression test for bug 106244
+
+Test passes by not crashing.
+
+
Copied: branches/chromium/1271/LayoutTests/fast/canvas/canvas-measureText.html (from rev 138994, trunk/LayoutTests/fast/canvas/canvas-measureText.html) (0 => 139057)
--- branches/chromium/1271/LayoutTests/fast/canvas/canvas-measureText.html (rev 0)
+++ branches/chromium/1271/LayoutTests/fast/canvas/canvas-measureText.html 2013-01-08 15:58:03 UTC (rev 139057)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>Regression test for bug <a href=""
+<p>Test passes by not crashing.</p>
+<canvas id="test"></canvas>
+</body>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var canvas = document.getElementById("test");
+var context = canvas.getContext("2d");
+for (x = 0; x < 100; x++) {
+ context.restore();
+ context.save();
+ context.save();
+ context.measureText("a", 0, 0, 0);
+}
+</script>
+</html>
Modified: branches/chromium/1271/Source/WebCore/ChangeLog (139056 => 139057)
--- branches/chromium/1271/Source/WebCore/ChangeLog 2013-01-08 15:26:51 UTC (rev 139056)
+++ branches/chromium/1271/Source/WebCore/ChangeLog 2013-01-08 15:58:03 UTC (rev 139057)
@@ -1,5 +1,20 @@
-2012-10-01 Keishi Hattori <[email protected]>
+2013-01-07 Justin Novosad <[email protected]>
+ Fixing memory read after free in CanvasRenderingContext2D::accessFont
+ https://bugs.webkit.org/show_bug.cgi?id=106244
+
+ Reviewed by Abhishek Arya.
+
+ Using a temporary String object to hold ref count on string that is
+ passed by reference in CanvasRenderingContext2D::accessFont.
+
+ Test: fast/canvas/canvas-measureText.html
+
+ * html/canvas/CanvasRenderingContext2D.cpp:
+ (WebCore::CanvasRenderingContext2D::accessFont):
+
+2013-01-07 Anders Carlsson <[email protected]>
+
REGRESSION(r127727): Calendar picker is ignoring step
https://bugs.webkit.org/show_bug.cgi?id=97893
Modified: branches/chromium/1271/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp (139056 => 139057)
--- branches/chromium/1271/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp 2013-01-08 15:26:51 UTC (rev 139056)
+++ branches/chromium/1271/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp 2013-01-08 15:58:03 UTC (rev 139057)
@@ -2360,8 +2360,13 @@
{
canvas()->document()->updateStyleIfNeeded();
- if (!state().m_realizedFont)
- setFont(state().m_unparsedFont);
+ if (!state().m_realizedFont) {
+ // Create temporary string object to hold ref count in case
+ // state().m_unparsedFont in unreffed by call to realizeSaves in
+ // setFont.
+ String unparsedFont(state().m_unparsedFont);
+ setFont(unparsedFont);
+ }
return state().m_font;
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
