Crash in WebCore::translateIntersectionPointsToSkipInkBoundaries
authormmaxfield@apple.com <mmaxfield@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 3 Jan 2014 01:32:18 +0000 (01:32 +0000)
committermmaxfield@apple.com <mmaxfield@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 3 Jan 2014 01:32:18 +0000 (01:32 +0000)
commit4ec89d12608076029dd94c1018f7c7e0871a7750
tree395c05c08fbf57f98703b1fce82666875427a453
parentd4bef7b59782281efc5b16f441ee9cb35d38d2f3
Crash in WebCore::translateIntersectionPointsToSkipInkBoundaries
https://bugs.webkit.org/show_bug.cgi?id=126252

Reviewed by Alexey Proskuryakov.

Source/WebCore:

lastIntermediate was a iterator pointing into a Vector, which was being re-used
even while appending to the Vector. If any of the append operators triggered
a realloc, the iterator would point to the old free'ed memory.

Test: fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html

* rendering/InlineTextBox.cpp:
(WebCore::translateIntersectionPointsToSkipInkBoundaries):

LayoutTests:

This test causes intermediateTuples, a Vector of tuples of floats, to have enough
entries to cause a realloc. In my tests, the realloc seems to always allocate the
next area of memory (without unmapping any old pages), so this test only crashes
if guardMalloc is used.

* fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps-expected.txt: Added.
* fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@161244 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps-expected.txt [new file with mode: 0644]
LayoutTests/fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/InlineTextBox.cpp