[Webkit-unassigned] [Bug 151845] New: DumpRenderTree: Use-after-free in createBitmapContext() in PixelDumpSupportMac.mm
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Dec 3 20:24:31 PST 2015
https://bugs.webkit.org/show_bug.cgi?id=151845
Bug ID: 151845
Summary: DumpRenderTree: Use-after-free in
createBitmapContext() in PixelDumpSupportMac.mm
Classification: Unclassified
Product: WebKit
Version: Other
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Tools / Tests
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ddkilzer at webkit.org
CC: lforschler at apple.com
The clang static analyzer found the following issue:
DumpRenderTree/mac/PixelDumpSupportMac.mm:67:9: warning: Use of memory after it is freed
WTFLogAlways("DumpRenderTree: CGBitmapContextCreate(%p, %llu, %llu, 8, %llu, %p, 0x%x) failed\n", buffer, pixelsHigh, pixelsWide, rowBytes, colorSpace.get(), kCGImageAlphaPremultipliedFirst | kCGBitmapByteOrder32Host);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The issue is that free(buffer) is called before it's used in the WTFLogAlways() macro:
if (!context) {
free(buffer);
WTFLogAlways("DumpRenderTree: CGBitmapContextCreate(%p, %llu, %llu, 8, %llu, %p, 0x%x) failed\n", buffer, pixelsHigh, pixelsWide, rowBytes, colorSpace.get(), kCGImageAlphaPremultipliedFirst | kCGBitmapByteOrder32Host);
return nullptr;
}
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20151204/940f4fc4/attachment.html>
More information about the webkit-unassigned
mailing list