| Index: Source/core/css/FontFace.cpp
|
| diff --git a/Source/core/css/FontFace.cpp b/Source/core/css/FontFace.cpp
|
| index 3a3c27d54c2e26a68435294bb13d3753f27beb29..ab6bc613368000a626e88a86c022cae00455b638 100644
|
| --- a/Source/core/css/FontFace.cpp
|
| +++ b/Source/core/css/FontFace.cpp
|
| @@ -586,7 +586,12 @@ void FontFace::initCSSFontFace(Document* document, PassRefPtrWillBeRawPtr<CSSVal
|
| } else {
|
| #if ENABLE(SVG_FONTS)
|
| if (item->svgFontFaceElement()) {
|
| - source = adoptPtr(new SVGFontFaceSource(item->svgFontFaceElement()));
|
| + RefPtr<SVGFontFaceElement> fontfaceElement = item->svgFontFaceElement();
|
| + // SVGFontFaceSource assumes that it is the case where <font-face> element resides in the same document.
|
| + // We put a RELEASE_ASSERT here as it will cause UAF if the assumption is false.
|
| + RELEASE_ASSERT(fontfaceElement->inDocument());
|
| + RELEASE_ASSERT(fontfaceElement->document() == document);
|
| + source = adoptPtr(new SVGFontFaceSource(fontfaceElement.get()));
|
| } else
|
| #endif
|
| {
|
|
|
Chromium Code Reviews
Issue 216563002:
[SVG Fonts] Fix <font-face> element leak document (Closed)
Base URL: svn://svn.chromium.org/blink/trunk