[Webkit-unassigned] [Bug 111179] New: [Cairo] Surface pointer passed to asNewNativeImage() might be freed.

Fri Mar 1 07:09:57 PST 2013

https://bugs.webkit.org/show_bug.cgi?id=111179

           Summary: [Cairo] Surface pointer passed to asNewNativeImage()
                    might be freed.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Platform
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: zherczeg at webkit.org
                CC: alex at igalia.com, mrobinson at webkit.org, noam at webkit.org

Created an attachment (id=190964)
 --> (https://bugs.webkit.org/attachment.cgi?id=190964&action=review)
early draft patch

Hi Martin,

you made a patch a year ago which refactored how Cairo wrap surfaces. The side effect of your "just a refactoring" patch is that when the frame data is moved, the cairo surface does not know about it. For example, this might happen in GIFImageDecoder.cpp:90

m_frameBufferCache.resize(reader.images_count); // Reallocates all pixel buffers.

When the following image is loaded:

<html><body>
<img width=90 height=90 src="http://images.animationfactory.com/thw/thw17/AFCT/20090116/FTW/i/12316066.gif?mouse_new_year_2012_confetti_sm_wm">
</body></html>

This was actually a really nasty bug, which took me a week to debug it, because it unfortunately disappears when valgrind or gdb is used. It appears only when WebKit execution is fast and the download speed is slow (some kind of racing condition). So I finally used mprotect to force a crash on memory write.

A draft patch is attached, but I don't think this is the best solution. Any suggestions are welcome.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.