Bug 279478
| Summary: | Make FontProxy RefCounted | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Said Abou-Hallawa <sabouhallawa> |
| Component: | Canvas | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | sabouhallawa, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=279348 | ||
Said Abou-Hallawa
CanvasRenderingContext2DBase::drawTextUnchecked() gets a reference to state().fontProxy. If before using this reference, this function changes m_stateStack by calling save() or restore() this reference may be pointing to freed memory. This will happen when Vector::append reallocates the buffer of m_stateStack. Applying filter to the canvas requires save() and restore() to be called when switching the context target.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/136185867>
Said Abou-Hallawa
When fixing this bug, please remove the FIXME comment in CanvasRenderingContext2DBase::drawTextUnchecked() and change the code such that it does not refetch the FontProxy after calling CanvasFilterContextSwitcher::create().