Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(682)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 234823004: Heap-use-after-free in WebCore::MutableStylePropertySet::setProperty (Closed)

Created:
6 years, 8 months ago by Mikhail
Modified:
6 years, 8 months ago
Reviewers:
eseidel
CC:
blink-reviews, ed+blinkwatch_opera.com, dglazkov+blink, apavlov+blink_chromium.org, darktears, rune+blink, rwlbuis, eseidel, inferno
Base URL:
https://chromium.googlesource.com/chromium/blink.git@master
Visibility:
Public.

Description

Heap-use-after-free in WebCore::MutableStylePropertySet::setProperty This patch fixes heap-use-after-free error (regression caused by r171246) in the 'MutableStylePropertySet::setProperty' method. This error turned up as the 'setProperty' method argument contained a pointer from the vector buffer which had been previously freed (as we started to use 'Vector::swap' instead of assignment operator). BUG=362310 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=171466

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+2 lines, -2 lines) Patch
M Source/core/css/StylePropertySet.cpp View 2 chunks +2 lines, -2 lines 0 comments Download

Messages

Total messages: 11 (0 generated)
Mikhail
PTAL
6 years, 8 months ago (2014-04-11 09:58:39 UTC) #1
eseidel
lgtm
6 years, 8 months ago (2014-04-11 15:16:26 UTC) #2
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/mikhail.pozdnyakov@intel.com/234823004/1
6 years, 8 months ago (2014-04-11 15:16:29 UTC) #3
eseidel
Because of the inline capacity? Why would freeing the stack buffer cause the other buffer's ...
6 years, 8 months ago (2014-04-11 15:17:09 UTC) #4
commit-bot: I haz the power
The CQ bit was unchecked by commit-bot@chromium.org
6 years, 8 months ago (2014-04-11 15:18:17 UTC) #5
commit-bot: I haz the power
Try jobs failed on following builders: tryserver.blink on linux_blink_dbg
6 years, 8 months ago (2014-04-11 15:18:18 UTC) #6
Mikhail
On 2014/04/11 15:17:09, eseidel wrote: > Because of the inline capacity? Why would freeing the ...
6 years, 8 months ago (2014-04-14 07:40:38 UTC) #7
Mikhail
On 2014/04/14 07:40:38, mikhail.pozdnyakov wrote: > On 2014/04/11 15:17:09, eseidel wrote: > > Because of ...
6 years, 8 months ago (2014-04-14 10:24:28 UTC) #8
eseidel
lgtm It's still not clear to me why swap doesn't work, but ok.
6 years, 8 months ago (2014-04-14 14:49:58 UTC) #9
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/mikhail.pozdnyakov@intel.com/234823004/1
6 years, 8 months ago (2014-04-14 14:50:09 UTC) #10
commit-bot: I haz the power
6 years, 8 months ago (2014-04-14 14:50:36 UTC) #11
Message was sent while issue was closed. 
Change committed as 171466

Powered by Google App Engine
This is Rietveld 408576698