Bug 37973

Summary:

REGRESSION(58040): TextIterator may use freed memory

Product:

WebKit

Reporter:

Shinichiro Hamaji <hamaji>

Component:

HTML Editing

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

yuzo

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch v1	darin: review+

Shinichiro Hamaji

Reported 2010-04-21 23:25:57 PDT

http://trac.webkit.org/changeset/58040 modified TextIterator::emitText and it uses RenderText::textWithoutTranscoding which may return String with refcnt==1 . TextIterator::emitText doesn't increment the refcnt of the returned String so the String created by textWithoutTranscoding() will be freed when emitString() finishes. This means we will touch the freed buffer. The test I added in r58040 happened to work for most platforms except chromium-win-debug (maybe because the iterator uses the freed buffer soon after the buffer is freed). My apologies for this bug.

Attachments
Patch v1 (3.65 KB, patch) 2010-04-21 23:28 PDT, Shinichiro Hamaji	darin: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Shinichiro Hamaji

Comment 1 2010-04-21 23:28:32 PDT

Created attachment 54028 [details] Patch v1

Shinichiro Hamaji

Comment 2 2010-04-21 23:29:33 PDT

*** Bug 37907 has been marked as a duplicate of this bug. ***

Darin Adler

Comment 3 2010-04-22 12:56:05 PDT

Comment on attachment 54028 [details] Patch v1 WebCore/editing/TextIterator.h:130 + // Prevent m_textCharacters from being freed. + String m_text; I think this comment is not as clear as it could be, but I don't have any specific suggestions for improving it.

Shinichiro Hamaji

Comment 4 2010-04-22 21:51:57 PDT

Committed r58149: <http://trac.webkit.org/changeset/58149>

Note You need to log in before you can comment on or make changes to this bug.