[Webkit-unassigned] [Bug 37973] New: REGRESSION: TextIterator may use freed memory
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 21 23:25:57 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=37973
Summary: REGRESSION: TextIterator may use freed memory
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: HTML Editing
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: hamaji at chromium.org
http://trac.webkit.org/changeset/58040 modified TextIterator::emitText and it
uses RenderText::textWithoutTranscoding which may return String with refcnt==1
. TextIterator::emitText doesn't increment the refcnt of the returned String so
the String created by textWithoutTranscoding() will be freed when emitString()
finishes. This means we will touch the freed buffer. The test I added in r58040
happened to work for most platforms except chromium-win-debug (maybe because
the iterator uses the freed buffer soon after the buffer is freed).
My apologies for this bug.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list