| Index: Source/core/css/FontFace.cpp
|
| diff --git a/Source/core/css/FontFace.cpp b/Source/core/css/FontFace.cpp
|
| index 9083eed84c0c12c146465eb4f237c01fd094f5bb..245f3914e32e7b1f7f4627c84389ca54a6c09cf0 100644
|
| --- a/Source/core/css/FontFace.cpp
|
| +++ b/Source/core/css/FontFace.cpp
|
| @@ -585,7 +585,12 @@ void FontFace::initCSSFontFace(Document* document, PassRefPtrWillBeRawPtr<CSSVal
|
| } else {
|
| #if ENABLE(SVG_FONTS)
|
| if (item->svgFontFaceElement()) {
|
| - source = adoptPtr(new SVGFontFaceSource(item->svgFontFaceElement()));
|
| + RefPtr<SVGFontFaceElement> fontfaceElement = item->svgFontFaceElement();
|
| + // SVGFontFaceSource assumes that it is the case where <font-face> element resides in the same document.
|
| + // We put a RELEASE_ASSERT here as it will cause UAF if the assumption is false.
|
| + RELEASE_ASSERT(fontfaceElement->inDocument());
|
| + RELEASE_ASSERT(fontfaceElement->document() == document);
|
| + source = adoptPtr(new SVGFontFaceSource(fontfaceElement.get()));
|
| } else
|
| #endif
|
| {
|
|
|
Chromium Code Reviews
Issue 216563002:
[SVG Fonts] Fix <font-face> element leak document (Closed)
Base URL: svn://svn.chromium.org/blink/trunk