Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(193)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 305173003: Heap-use-after-free in WebCore::GraphicsContext::drawImage (Closed)

Created:
6 years, 6 months ago by Hans Muller
Modified:
6 years, 6 months ago
Reviewers:
pdr., eseidel, rwlbuis
CC:
blink-reviews, blink-reviews-rendering, zoltan1, eae+blinkwatch, leviw+renderwatch, jchaffraix+rendering, rune+blink
Base URL:
https://chromium.googlesource.com/chromium/blink.git@master
Visibility:
Public.

Description

Heap-use-after-free in WebCore::GraphicsContext::drawImage Replaced getShapeImageAndRect() in ShapeOutsideInfo.cpp with ShapeOutsideInfo::createShapeForImage(). The original function failed to protect the PassRefPtr return value returned by StyleImage::image(). BUG=378469 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=175176

Patch Set 1 #

Total comments: 3

Patch Set 2 : Removed a spurious .get() #

Unified diffs Side-by-side diffs Delta from patch set Stats (+54 lines, -29 lines) Patch
A LayoutTests/fast/shapes/shape-outside-floats/shape-outside-uncached-gradient.html View 1 chunk +25 lines, -0 lines 0 comments Download
A + LayoutTests/fast/shapes/shape-outside-floats/shape-outside-uncached-gradient-expected.txt View 1 chunk +1 line, -2 lines 0 comments Download
M Source/core/rendering/shapes/ShapeOutsideInfo.h View 1 chunk +2 lines, -0 lines 0 comments Download
M Source/core/rendering/shapes/ShapeOutsideInfo.cpp View 1 3 chunks +26 lines, -27 lines 0 comments Download

Messages

Total messages: 14 (0 generated)
Hans Muller
Uncached gradient images are now safe for shapes. I'd appreciate a review.
6 years, 6 months ago (2014-05-30 21:03:41 UTC) #1
eseidel
lgtm https://codereview.chromium.org/305173003/diff/1/Source/core/rendering/shapes/ShapeOutsideInfo.cpp File Source/core/rendering/shapes/ShapeOutsideInfo.cpp (right): https://codereview.chromium.org/305173003/diff/1/Source/core/rendering/shapes/ShapeOutsideInfo.cpp#newcode117 Source/core/rendering/shapes/ShapeOutsideInfo.cpp:117: Image* image = 0; Might as well just ...
6 years, 6 months ago (2014-05-30 21:06:45 UTC) #2
pdr.
On 2014/05/30 21:06:45, eseidel wrote: > lgtm > > https://codereview.chromium.org/305173003/diff/1/Source/core/rendering/shapes/ShapeOutsideInfo.cpp > File Source/core/rendering/shapes/ShapeOutsideInfo.cpp (right): > ...
6 years, 6 months ago (2014-05-30 21:08:15 UTC) #3
rwlbuis
LGTM https://codereview.chromium.org/305173003/diff/1/Source/core/rendering/shapes/ShapeOutsideInfo.cpp File Source/core/rendering/shapes/ShapeOutsideInfo.cpp (right): https://codereview.chromium.org/305173003/diff/1/Source/core/rendering/shapes/ShapeOutsideInfo.cpp#newcode118 Source/core/rendering/shapes/ShapeOutsideInfo.cpp:118: RefPtr<Image> generatedImage; Nit: could move this into the ...
6 years, 6 months ago (2014-05-30 21:14:05 UTC) #4
Hans Muller
On 2014/05/30 21:08:15, pdr wrote: > On 2014/05/30 21:06:45, eseidel wrote: > > lgtm > ...
6 years, 6 months ago (2014-05-30 21:17:53 UTC) #5
Hans Muller
On 2014/05/30 21:14:05, rwlbuis wrote: > LGTM > > https://codereview.chromium.org/305173003/diff/1/Source/core/rendering/shapes/ShapeOutsideInfo.cpp > File Source/core/rendering/shapes/ShapeOutsideInfo.cpp (right): > ...
6 years, 6 months ago (2014-05-30 21:20:24 UTC) #6
eseidel
https://codereview.chromium.org/305173003/diff/1/Source/core/rendering/shapes/ShapeOutsideInfo.cpp File Source/core/rendering/shapes/ShapeOutsideInfo.cpp (right): https://codereview.chromium.org/305173003/diff/1/Source/core/rendering/shapes/ShapeOutsideInfo.cpp#newcode124 Source/core/rendering/shapes/ShapeOutsideInfo.cpp:124: image = generatedImage.get(); I was more reacting to this ...
6 years, 6 months ago (2014-05-30 21:22:08 UTC) #7
eseidel
If you were concerned about the ref-churn, you could even do: image = generatedImage.release(); Then ...
6 years, 6 months ago (2014-05-30 21:23:53 UTC) #8
eseidel
createRasterShape takes a PassRefPtr, correct? If so, then it doesn't matter how long generatedImage survives, ...
6 years, 6 months ago (2014-05-30 21:28:52 UTC) #9
Hans Muller
On 2014/05/30 21:28:52, eseidel wrote: > createRasterShape takes a PassRefPtr, correct? If so, then it ...
6 years, 6 months ago (2014-05-30 21:34:48 UTC) #10
Hans Muller
On 2014/05/30 21:34:48, Hans Muller wrote: > On 2014/05/30 21:28:52, eseidel wrote: > > createRasterShape ...
6 years, 6 months ago (2014-05-30 22:07:04 UTC) #11
Hans Muller
The CQ bit was checked by hmuller@adobe.com
6 years, 6 months ago (2014-05-30 22:08:06 UTC) #12
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/hmuller@adobe.com/305173003/20001
6 years, 6 months ago (2014-05-30 22:09:34 UTC) #13
commit-bot: I haz the power
6 years, 6 months ago (2014-05-31 00:10:15 UTC) #14
Message was sent while issue was closed. 
Change committed as 175176

Powered by Google App Engine
This is Rietveld 408576698