Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(100)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/core/SkPictureData.cpp

Issue 1264503011: Double free in ~SkPictureData() (Closed) Base URL: https://chromium.googlesource.com/skia.git@master
Patch Set: Created 5 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright 2011 Google Inc. 2 * Copyright 2011 Google Inc.
3 * 3 *
4 * Use of this source code is governed by a BSD-style license that can be 4 * Use of this source code is governed by a BSD-style license that can be
5 * found in the LICENSE file. 5 * found in the LICENSE file.
6 */ 6 */
7 #include <new> 7 #include <new>
8 #include "SkPictureData.h" 8 #include "SkPictureData.h"
9 #include "SkPictureRecord.h" 9 #include "SkPictureRecord.h"
10 #include "SkReadBuffer.h" 10 #include "SkReadBuffer.h"
(...skipping 359 matching lines...) Expand 10 before | Expand all | Expand 10 after
370 tf.reset(SkTypeface::RefDefault()); 370 tf.reset(SkTypeface::RefDefault());
371 } 371 }
372 fTFPlayback.set(i, tf); 372 fTFPlayback.set(i, tf);
373 } 373 }
374 } break; 374 } break;
375 case SK_PICT_PICTURE_TAG: { 375 case SK_PICT_PICTURE_TAG: {
376 fPictureCount = size; 376 fPictureCount = size;
377 fPictureRefs = SkNEW_ARRAY(const SkPicture*, fPictureCount); 377 fPictureRefs = SkNEW_ARRAY(const SkPicture*, fPictureCount);
378 bool success = true; 378 bool success = true;
379 int i = 0; 379 int i = 0;
380 for ( ; i < fPictureCount; i++) { 380 for ( ; i < fPictureCount; i++) {
mtklein 2015/07/29 21:09:22 This seems fine, but I don't know if I'd have writ
381 fPictureRefs[i] = SkPicture::CreateFromStream(stream, proc); 381 fPictureRefs[i] = SkPicture::CreateFromStream(stream, proc);
382 if (NULL == fPictureRefs[i]) { 382 if (NULL == fPictureRefs[i]) {
383 success = false; 383 success = false;
384 break; 384 break;
385 } 385 }
386 } 386 }
387 if (!success) { 387 if (!success) {
388 // Delete all of the pictures that were already created (up to b ut excluding i): 388 // The destructor unrefs fPictureCount fPictureRefs, and deletes the array.
389 for (int j = 0; j < i; j++) { 389 fPictureCount = i;
390 fPictureRefs[j]->unref();
391 }
392 // Delete the array
393 SkDELETE_ARRAY(fPictureRefs);
394 fPictureCount = 0;
395 return false; 390 return false;
396 } 391 }
397 } break; 392 } break;
398 case SK_PICT_BUFFER_SIZE_TAG: { 393 case SK_PICT_BUFFER_SIZE_TAG: {
399 SkAutoMalloc storage(size); 394 SkAutoMalloc storage(size);
400 if (stream->read(storage.get(), size) != size) { 395 if (stream->read(storage.get(), size) != size) {
401 return false; 396 return false;
402 } 397 }
403 398
404 /* Should we use SkValidatingReadBuffer instead? */ 399 /* Should we use SkValidatingReadBuffer instead? */
(...skipping 217 matching lines...) Expand 10 before | Expand all | Expand 10 after
622 } 617 }
623 } 618 }
624 619
625 bool SkPictureData::suitableForLayerOptimization() const { 620 bool SkPictureData::suitableForLayerOptimization() const {
626 return fContentInfo.numLayers() > 0; 621 return fContentInfo.numLayers() > 0;
627 } 622 }
628 #endif 623 #endif
629 /////////////////////////////////////////////////////////////////////////////// 624 ///////////////////////////////////////////////////////////////////////////////
630 625
631 626
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698