[Webkit-unassigned] [Bug 162823] New: REGRESSION (r): WebCore::ImageBuffer::createCompatibleBuffer() in ImageBufferCG.cpp over-releases CGColorSpaceRef objects
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 30 18:37:35 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=162823
Bug ID: 162823
Summary: REGRESSION (r):
WebCore::ImageBuffer::createCompatibleBuffer() in
ImageBufferCG.cpp over-releases CGColorSpaceRef
objects
Classification: Unclassified
Product: WebKit
Version: Safari 10
Hardware: Unspecified
OS: Unspecified
Status: NEW
Keywords: InRadar
Severity: Normal
Priority: P1
Component: Images
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ddkilzer at webkit.org
CC: dino at apple.com, simon.fraser at apple.com
WebCore::ImageBuffer::createCompatibleBuffer() in Source/WebCore/platform/graphics/cg/ImageBufferCG.cpp over-releases CGColorSpaceRef objects in two different code paths:
RetainPtr<CGColorSpaceRef> colorSpace;
#if PLATFORM(COCOA)
CGContextRef cgContext = context.platformContext();
switch (CGContextGetType(cgContext)) {
case kCGContextTypeBitmap:
colorSpace = adoptCF(CGBitmapContextGetColorSpace(cgContext)); // BUG!
break;
#if USE(IOSURFACE)
case kCGContextTypeIOSurface:
colorSpace = adoptCF(CGIOSurfaceContextGetColorSpace(cgContext)); // BUG!
break;
#endif
default:
colorSpace = adoptCF(CGContextCopyDeviceColorSpace(cgContext));
}
Neither CGBitmapContextGetColorSpace() nor CGIOSurfaceContextGetColorSpace() returns a +1 retained CGColorSpaceRef, so using adoptCF() will over-release the CGColorSpaceRef object later when RetainPtr<CGColorSpaceRef> colorSpace goes out of scope.
<rdar://problem/27723268>
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161001/86400ebc/attachment.html>
More information about the webkit-unassigned
mailing list