Title: [165289] branches/safari-537.75-branch/Source/WebCore
Diff
Modified: branches/safari-537.75-branch/Source/WebCore/ChangeLog (165288 => 165289)
--- branches/safari-537.75-branch/Source/WebCore/ChangeLog 2014-03-07 21:56:18 UTC (rev 165288)
+++ branches/safari-537.75-branch/Source/WebCore/ChangeLog 2014-03-07 21:57:32 UTC (rev 165289)
@@ -1,5 +1,24 @@
2014-03-07 Matthew Hanson <[email protected]>
+ Merge r164876.
+
+ 2014-02-28 Bem Jones-Bey <[email protected]>
+
+ Properly clear m_logicallyLastRun to remove use-after-free possibility
+ https://bugs.webkit.org/show_bug.cgi?id=129489
+
+ Reviewed by David Hyatt.
+
+ A use-after-free issue was caught in Blink because m_logicallyLastRun
+ is not cleared when the item it points to is deleted. Clearing it
+ turns the use-after-free into a segfault, and prevents any future
+ use-after-frees from happening.
+
+ * platform/text/BidiRunList.h:
+ (WebCore::BidiRunList<Run>::deleteRuns):
+
+2014-03-07 Matthew Hanson <[email protected]>
+
Merge r165206.
2014-03-05 Jon Honeycutt <[email protected]>
Modified: branches/safari-537.75-branch/Source/WebCore/platform/text/BidiRunList.h (165288 => 165289)
--- branches/safari-537.75-branch/Source/WebCore/platform/text/BidiRunList.h 2014-03-07 21:56:18 UTC (rev 165288)
+++ branches/safari-537.75-branch/Source/WebCore/platform/text/BidiRunList.h 2014-03-07 21:57:32 UTC (rev 165289)
@@ -193,9 +193,7 @@
curr = s;
}
- m_firstRun = 0;
- m_lastRun = 0;
- m_runCount = 0;
+ clearWithoutDestroyingRuns();
}
template <class Run>
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
