141168 – Memory is written to after deallocated, in GraphicsLayer::setMaskLayer.

RESOLVED FIXED 141168

Memory is written to after deallocated, in GraphicsLayer::setMaskLayer.

https://bugs.webkit.org/show_bug.cgi?id=141168

Summary Memory is written to after deallocated, in GraphicsLayer::setMaskLayer.

peavo

Reported 2015-02-02 12:35:34 PST

Visual Studio detected that a deallocated heap block had been modified in GraphicsLayer::setMaskLayer, when called from RenderLayerBacking::updateChildClippingStrategy. void GraphicsLayer::setMaskLayer(GraphicsLayer* layer) { if (layer == m_maskLayer) return; if (layer) { layer->removeFromParent(); layer->setParent(this); layer->setIsMaskLayer(true); } else if (m_maskLayer) { m_maskLayer->setParent(nullptr); <--------------- Writing to deallocated memory m_maskLayer->setIsMaskLayer(false); <--------------- } m_maskLayer = layer; }

Attachments
Patch (1.56 KB, patch) 2015-02-02 12:40 PST, peavo	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

peavo

Comment 1 2015-02-02 12:40:43 PST

Created attachment 245894 [details] Patch

Brent Fulgham

Comment 2 2015-02-02 12:56:21 PST

Comment on attachment 245894 [details] Patch Wow! That's not good! :-) I guess this happens if the m_childClippingMaskLayer is also part of the layer hierarchy and is therefore accessed for a "setMaskLayer" update? This might only happen in the WinCairo implementation due to its use of the texture mapping stuff to handle accelerated compositing. r=me.

peavo

Comment 3 2015-02-02 13:13:08 PST

(In reply to comment #2) > Comment on attachment 245894 [details] > Patch > Thanks for reviewing :) > Wow! That's not good! :-) > > I guess this happens if the m_childClippingMaskLayer is also part of the > layer hierarchy and is therefore accessed for a "setMaskLayer" update? > > This might only happen in the WinCairo implementation due to its use of the > texture mapping stuff to handle accelerated compositing. > Good point, could be a bug only on WinCairo. Also, it was not really harmful, since the overwrite happened just after deallocation, and nobody had reallocated the block, yet ... :) > r=me.

WebKit Commit Bot

Comment 4 2015-02-02 13:39:09 PST

Comment on attachment 245894 [details] Patch Clearing flags on attachment: 245894 Committed r179495: <http://trac.webkit.org/changeset/179495>

WebKit Commit Bot

Comment 5 2015-02-02 13:39:13 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebCore Misc.

Assignee

Nobody

Reported

2015-02-02 12:35 PST

Modified

2015-02-02 13:39 PST History

CC List

7 users Show

URL

Keywords

Depends on

Blocks