Title: [164876] trunk/Source/WebCore
- Revision
- 164876
- Author
- [email protected]
- Date
- 2014-02-28 11:19:03 -0800 (Fri, 28 Feb 2014)
Log Message
Properly clear m_logicallyLastRun to remove use-after-free possibility
https://bugs.webkit.org/show_bug.cgi?id=129489
Reviewed by David Hyatt.
A use-after-free issue was caught in Blink because m_logicallyLastRun
is not cleared when the item it points to is deleted. Clearing it
turns the use-after-free into a segfault, and prevents any future
use-after-frees from happening.
* platform/text/BidiRunList.h:
(WebCore::BidiRunList<Run>::deleteRuns):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (164875 => 164876)
--- trunk/Source/WebCore/ChangeLog 2014-02-28 19:03:49 UTC (rev 164875)
+++ trunk/Source/WebCore/ChangeLog 2014-02-28 19:19:03 UTC (rev 164876)
@@ -1,3 +1,18 @@
+2014-02-28 Bem Jones-Bey <[email protected]>
+
+ Properly clear m_logicallyLastRun to remove use-after-free possibility
+ https://bugs.webkit.org/show_bug.cgi?id=129489
+
+ Reviewed by David Hyatt.
+
+ A use-after-free issue was caught in Blink because m_logicallyLastRun
+ is not cleared when the item it points to is deleted. Clearing it
+ turns the use-after-free into a segfault, and prevents any future
+ use-after-frees from happening.
+
+ * platform/text/BidiRunList.h:
+ (WebCore::BidiRunList<Run>::deleteRuns):
+
2014-02-28 Jer Noble <[email protected]>
[Mac] Disambiguate calls to [[window contentView] layer] and [... setLayer:]
Modified: trunk/Source/WebCore/platform/text/BidiRunList.h (164875 => 164876)
--- trunk/Source/WebCore/platform/text/BidiRunList.h 2014-02-28 19:03:49 UTC (rev 164875)
+++ trunk/Source/WebCore/platform/text/BidiRunList.h 2014-02-28 19:19:03 UTC (rev 164876)
@@ -193,9 +193,7 @@
curr = s;
}
- m_firstRun = 0;
- m_lastRun = 0;
- m_runCount = 0;
+ clearWithoutDestroyingRuns();
}
template <class Run>
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
