[webkit-changes] [193409] trunk/Tools

Thu, 03 Dec 2015 21:24:53 -0800

Title: [193409] trunk/Tools
Revision
193409
Author
[email protected]
Date
2015-12-03 21:24:46 -0800 (Thu, 03 Dec 2015)

Log Message

DumpRenderTree: Use-after-free in createBitmapContext() in PixelDumpSupportMac.mm
<http://webkit.org/b/151845>

Reviewed by Simon Fraser.

Fixes the following static analyzer warning:
    DumpRenderTree/mac/PixelDumpSupportMac.mm:67:9: warning: Use of memory after it is freed
            WTFLogAlways("DumpRenderTree: CGBitmapContextCreate(%p, %llu, %llu, 8, %llu, %p, 0x%x) failed\n", buffer, pixelsHigh, pixelsWide, rowBytes, colorSpace.get(), kCGImageAlphaPremultipliedFirst | kCGBitmapByteOrder32Host);
            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* DumpRenderTree/mac/PixelDumpSupportMac.mm:
(createBitmapContext): Free 'buffer' after using it in logging
to fix the use-after-free.  Assign a value of nullptr to buffer
so we don't return with it set to a freed address.

Modified Paths

Diff

Modified: trunk/Tools/ChangeLog (193408 => 193409)


--- trunk/Tools/ChangeLog	2015-12-04 05:21:45 UTC (rev 193408)
+++ trunk/Tools/ChangeLog	2015-12-04 05:24:46 UTC (rev 193409)
@@ -1,3 +1,20 @@
+2015-12-03  David Kilzer  <[email protected]>
+
+        DumpRenderTree: Use-after-free in createBitmapContext() in PixelDumpSupportMac.mm
+        <http://webkit.org/b/151845>
+
+        Reviewed by Simon Fraser.
+
+        Fixes the following static analyzer warning:
+            DumpRenderTree/mac/PixelDumpSupportMac.mm:67:9: warning: Use of memory after it is freed
+                    WTFLogAlways("DumpRenderTree: CGBitmapContextCreate(%p, %llu, %llu, 8, %llu, %p, 0x%x) failed\n", buffer, pixelsHigh, pixelsWide, rowBytes, colorSpace.get(), kCGImageAlphaPremultipliedFirst | kCGBitmapByteOrder32Host);
+                    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+        * DumpRenderTree/mac/PixelDumpSupportMac.mm:
+        (createBitmapContext): Free 'buffer' after using it in logging
+        to fix the use-after-free.  Assign a value of nullptr to buffer
+        so we don't return with it set to a freed address.
+
 2015-12-03  Jer Noble  <[email protected]>
 
         Expose WebCore's InvisibleAutoplayNotPermitted setting to WebKit & WebKit2

Modified: trunk/Tools/DumpRenderTree/mac/PixelDumpSupportMac.mm (193408 => 193409)


--- trunk/Tools/DumpRenderTree/mac/PixelDumpSupportMac.mm	2015-12-04 05:21:45 UTC (rev 193408)
+++ trunk/Tools/DumpRenderTree/mac/PixelDumpSupportMac.mm	2015-12-04 05:24:46 UTC (rev 193409)
@@ -63,8 +63,9 @@
     RetainPtr<CGColorSpaceRef> colorSpace = adoptCF(CGColorSpaceCreateDeviceRGB());
     CGContextRef context = CGBitmapContextCreate(buffer, pixelsWide, pixelsHigh, 8, rowBytes, colorSpace.get(), kCGImageAlphaPremultipliedFirst | kCGBitmapByteOrder32Host); // Use ARGB8 on PPC or BGRA8 on X86 to improve CG performance
     if (!context) {
+        WTFLogAlways("DumpRenderTree: CGBitmapContextCreate(%p, %llu, %llu, 8, %llu, %p, 0x%x) failed\n", buffer, pixelsHigh, pixelsWide, rowBytes, colorSpace.get(), kCGImageAlphaPremultipliedFirst | kCGBitmapByteOrder32Host);
         free(buffer);
-        WTFLogAlways("DumpRenderTree: CGBitmapContextCreate(%p, %llu, %llu, 8, %llu, %p, 0x%x) failed\n", buffer, pixelsHigh, pixelsWide, rowBytes, colorSpace.get(), kCGImageAlphaPremultipliedFirst | kCGBitmapByteOrder32Host);
+        buffer = nullptr;
         return nullptr;
     }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to