Crash in WebCore::translateIntersectionPointsToSkipInkBoundaries
[WebKit-https.git] / Source / WebCore / ChangeLog
index 7a61969b21de700cf8665e202faca3ba0ec1e793..f49964be6b0d4083f05cab6cbbe0928986ff76ee 100644 (file)
@@ -1,3 +1,19 @@
+2014-01-02  Myles C. Maxfield  <mmaxfield@apple.com>
+
+        Crash in WebCore::translateIntersectionPointsToSkipInkBoundaries
+        https://bugs.webkit.org/show_bug.cgi?id=126252
+
+        Reviewed by Alexey Proskuryakov.
+
+        lastIntermediate was a iterator pointing into a Vector, which was being re-used
+        even while appending to the Vector. If any of the append operators triggered
+        a realloc, the iterator would point to the old free'ed memory.
+
+        Test: fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html
+
+        * rendering/InlineTextBox.cpp:
+        (WebCore::translateIntersectionPointsToSkipInkBoundaries):
+
 2014-01-02  Brent Fulgham  <bfulgham@apple.com>
 
         [WebGL] Correct symbol lookup logic to handle 1-element arrays