<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - REGRESSION (r): WebCore::ImageBuffer::createCompatibleBuffer() in ImageBufferCG.cpp over-releases CGColorSpaceRef objects"

   href="https://bugs.webkit.org/show_bug.cgi?id=162823">162823</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>REGRESSION (r): WebCore::ImageBuffer::createCompatibleBuffer() in ImageBufferCG.cpp over-releases CGColorSpaceRef objects

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>Safari 10

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Keywords</th>

          <td>InRadar

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P1

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Images

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>ddkilzer&#64;webkit.org

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>dino&#64;apple.com, simon.fraser&#64;apple.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>WebCore::ImageBuffer::createCompatibleBuffer() in Source/WebCore/platform/graphics/cg/ImageBufferCG.cpp over-releases CGColorSpaceRef objects in two different code paths:

    RetainPtr&lt;CGColorSpaceRef&gt; colorSpace;

#if PLATFORM(COCOA)

    CGContextRef cgContext = context.platformContext();

    switch (CGContextGetType(cgContext)) {

    case kCGContextTypeBitmap:

        colorSpace = adoptCF(CGBitmapContextGetColorSpace(cgContext)); // BUG!

        break;

#if USE(IOSURFACE)

    case kCGContextTypeIOSurface:

        colorSpace = adoptCF(CGIOSurfaceContextGetColorSpace(cgContext)); // BUG!

        break;

#endif

    default:

        colorSpace = adoptCF(CGContextCopyDeviceColorSpace(cgContext));

    }

Neither CGBitmapContextGetColorSpace() nor CGIOSurfaceContextGetColorSpace() returns a +1 retained CGColorSpaceRef, so using adoptCF() will over-release the CGColorSpaceRef object later when RetainPtr&lt;CGColorSpaceRef&gt; colorSpace goes out of scope.

&lt;rdar://problem/27723268&gt;</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>