Fixing memory read after free in CanvasRenderingContext2D::accessFont
authorjunov@google.com <junov@google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 7 Jan 2013 22:56:02 +0000 (22:56 +0000)
committerjunov@google.com <junov@google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 7 Jan 2013 22:56:02 +0000 (22:56 +0000)
https://bugs.webkit.org/show_bug.cgi?id=106244

Reviewed by Abhishek Arya.

Source/WebCore:

Using a temporary String object to hold ref count on string that is
passed by reference in CanvasRenderingContext2D::accessFont.

Test: fast/canvas/canvas-measureText.html

* html/canvas/CanvasRenderingContext2D.cpp:
(WebCore::CanvasRenderingContext2D::accessFont):

LayoutTests:

New test case to verify stability of 2D canvas method measureText.
Test case was causing a DumpRenderTree crash on builds with
AddressSantitizer instrumentation.

* fast/canvas/canvas-measureText-expected.txt: Added.
* fast/canvas/canvas-measureText.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@138994 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/canvas/canvas-measureText-expected.txt [new file with mode: 0644]
LayoutTests/fast/canvas/canvas-measureText.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp

index 9949155..2e43bf3 100644 (file)
@@ -1,3 +1,17 @@
+2013-01-07  Justin Novosad  <junov@google.com>
+
+        Fixing memory read after free in CanvasRenderingContext2D::accessFont
+        https://bugs.webkit.org/show_bug.cgi?id=106244
+
+        Reviewed by Abhishek Arya.
+
+        New test case to verify stability of 2D canvas method measureText.
+        Test case was causing a DumpRenderTree crash on builds with
+        AddressSantitizer instrumentation.
+
+        * fast/canvas/canvas-measureText-expected.txt: Added.
+        * fast/canvas/canvas-measureText.html: Added.
+
 2013-01-07  Abhishek Arya  <inferno@chromium.org>
 
         Heap-buffer-overflow in WebCore::RenderBlock::clone.
diff --git a/LayoutTests/fast/canvas/canvas-measureText-expected.txt b/LayoutTests/fast/canvas/canvas-measureText-expected.txt
new file mode 100644 (file)
index 0000000..784646c
--- /dev/null
@@ -0,0 +1,5 @@
+Regression test for bug 106244
+
+Test passes by not crashing.
+
+
diff --git a/LayoutTests/fast/canvas/canvas-measureText.html b/LayoutTests/fast/canvas/canvas-measureText.html
new file mode 100644 (file)
index 0000000..4ead2e8
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>Regression test for bug <a href="http://webkit.org/b/106244">106244</a></p>
+<p>Test passes by not crashing.</p>
+<canvas id="test"></canvas>
+</body>
+<script>
+if (window.testRunner)
+   testRunner.dumpAsText();
+
+var canvas = document.getElementById("test");
+var context = canvas.getContext("2d");
+for (x = 0; x < 100; x++) {
+     context.restore();
+     context.save();
+     context.save();
+     context.measureText("a", 0, 0, 0);
+}
+</script>
+</html>
index 25281e6..35a125b 100644 (file)
@@ -1,3 +1,18 @@
+2013-01-07  Justin Novosad  <junov@google.com>
+
+        Fixing memory read after free in CanvasRenderingContext2D::accessFont
+        https://bugs.webkit.org/show_bug.cgi?id=106244
+
+        Reviewed by Abhishek Arya.
+
+        Using a temporary String object to hold ref count on string that is
+        passed by reference in CanvasRenderingContext2D::accessFont.
+
+        Test: fast/canvas/canvas-measureText.html
+
+        * html/canvas/CanvasRenderingContext2D.cpp:
+        (WebCore::CanvasRenderingContext2D::accessFont):
+
 2013-01-07  Anders Carlsson  <andersca@apple.com>
 
         DOMEvents.h should include DOMProgressEvent.h
index 129d2a5..7dd0916 100644 (file)
@@ -2373,8 +2373,13 @@ const Font& CanvasRenderingContext2D::accessFont()
 {
     canvas()->document()->updateStyleIfNeeded();
 
-    if (!state().m_realizedFont)
-        setFont(state().m_unparsedFont);
+    if (!state().m_realizedFont) {
+        // Create temporary string object to hold ref count in case
+        // state().m_unparsedFont in unreffed by call to realizeSaves in
+        // setFont.
+        String unparsedFont(state().m_unparsedFont);
+        setFont(unparsedFont);
+    }
     return state().m_font;
 }