[Webkit-unassigned] [Bug 27777] New: ImageSourceCG makes bad data refs (race condition causes blank images)

Tue Jul 28 13:23:24 PDT 2009

https://bugs.webkit.org/show_bug.cgi?id=27777

           Summary: ImageSourceCG makes bad data refs (race condition
                    causes blank images)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Platform
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: avi at drissman.com

Avi Drissman <avi at drissman.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #33665|                            |review?(fishd at chromium.org)
               Flag|                            |

Created an attachment (id=33665)
 --> (https://bugs.webkit.org/attachment.cgi?id=33665)
Patch to fix

When you create a CGImageRef, it takes the CFDataRef that holds its backing
data, and retains it for its entire lifetime.

The problem here is that ImageSourceCG uses CFDataCreateWithBytesNoCopy to
create the CFDataRef containing the image data. When you use
CFDataCreateWithBytesNoCopy, it's up to you to ensure that the backing store
that you pass to it stays valid through the lifetime of the created CFDataRef.

Since the lifetime of the CFDataRef is the lifetime of the CGImageRef,
ImageSourceCG makes a promise that it can't keep. The SharedBuffer is passed in
as a parameter to setData--who knows if it will live longer than the created
CGImageRef?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.