Bug 37973 - REGRESSION(58040): TextIterator may use freed memory
Summary: REGRESSION(58040): TextIterator may use freed memory
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
: 37907 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-04-21 23:25 PDT by Shinichiro Hamaji
Modified: 2010-04-22 21:51 PDT (History)
1 user (show)

See Also:

Attachments
Patch v1 (3.65 KB, patch)
2010-04-21 23:28 PDT, Shinichiro Hamaji 		darin: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Shinichiro Hamaji 2010-04-21 23:25:57 PDT 
http://trac.webkit.org/changeset/58040 modified TextIterator::emitText and it uses RenderText::textWithoutTranscoding which may return String with refcnt==1 . TextIterator::emitText doesn't increment the refcnt of the returned String so the String created by textWithoutTranscoding() will be freed when emitString() finishes. This means we will touch the freed buffer. The test I added in r58040 happened to work for most platforms except chromium-win-debug (maybe because the iterator uses the freed buffer soon after the buffer is freed).

My apologies for this bug.
Comment 1 Shinichiro Hamaji 2010-04-21 23:28:32 PDT 
Created attachment 54028 [details]
Patch v1
Comment 2 Shinichiro Hamaji 2010-04-21 23:29:33 PDT 
*** Bug 37907 has been marked as a duplicate of this bug. ***
Comment 3 Darin Adler 2010-04-22 12:56:05 PDT 
Comment on attachment 54028 [details]
Patch v1

WebCore/editing/TextIterator.h:130

 +      // Prevent m_textCharacters from being freed.
 +      String m_text;

I think this comment is not as clear as it could be, but I don't have any specific suggestions for improving it.
Comment 4 Shinichiro Hamaji 2010-04-22 21:51:57 PDT 
Committed r58149: <http://trac.webkit.org/changeset/58149>