Crash in WebCore::translateIntersectionPointsToSkipInkBoundaries
https://bugs.webkit.org/show_bug.cgi?id=126252
Reviewed by Alexey Proskuryakov.
Source/WebCore:
lastIntermediate was a iterator pointing into a Vector, which was being re-used
even while appending to the Vector. If any of the append operators triggered
a realloc, the iterator would point to the old free'ed memory.
Test: fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html
* rendering/InlineTextBox.cpp:
(WebCore::translateIntersectionPointsToSkipInkBoundaries):
LayoutTests:
This test causes intermediateTuples, a Vector of tuples of floats, to have enough
entries to cause a realloc. In my tests, the realloc seems to always allocate the
next area of memory (without unmapping any old pages), so this test only crashes
if guardMalloc is used.
* fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps-expected.txt: Added.
* fast/css3-text/css3-text-decoration/text-decoration-skip/text-decoration-skip-ink-crash-many-gaps.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@161244
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
git://git.webkit.org / WebKit-https.git / commit