summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjunov@chromium.org <junov@chromium.org@bbb929c8-8fbe-4397-9dbb-9b2b20218538>2014-06-23 17:17:30 +0000
committerjunov@chromium.org <junov@chromium.org@bbb929c8-8fbe-4397-9dbb-9b2b20218538>2014-06-23 17:17:30 +0000
commit82e6cc15658595690793a0573efa3258484c1c07 (patch)
tree85612b8cc1f94cd0f9f1d5edc4d6150a252012db
parentfb1e9829a7d2bcd08193c31c2027878860d50ba5 (diff)
downloadchromium-82e6cc15658595690793a0573efa3258484c1c07.tar.gz
chromium-82e6cc15658595690793a0573efa3258484c1c07.tar.bz2
chromium-82e6cc15658595690793a0573efa3258484c1c07.zip
Fix memory use after free in HitRegionManager::removeHitRegionsInRect
Items were being removed from a list while iterating over the list, which is unsafe. BUG=387728 TEST=ASAN, layout test fast/canvas/canvas-hit-regions-clear-test.html Review URL: https://codereview.chromium.org/336233003 git-svn-id: svn://svn.chromium.org/blink/trunk@176764 bbb929c8-8fbe-4397-9dbb-9b2b20218538
-rw-r--r--Source/core/html/canvas/HitRegion.cpp7
1 files changed, 6 insertions, 1 deletions
diff --git a/Source/core/html/canvas/HitRegion.cpp b/Source/core/html/canvas/HitRegion.cpp
index d436f45a87ca..276e9b7ef2d1 100644
--- a/Source/core/html/canvas/HitRegion.cpp
+++ b/Source/core/html/canvas/HitRegion.cpp
@@ -102,13 +102,18 @@ void HitRegionManager::removeHitRegionsInRect(const FloatRect& rect, const Affin
clearArea.transform(ctm);
HitRegionIterator itEnd = m_hitRegionList.rend();
+ HitRegionList toBeRemoved;
for (HitRegionIterator it = m_hitRegionList.rbegin(); it != itEnd; ++it) {
RefPtrWillBeRawPtr<HitRegion> hitRegion = *it;
hitRegion->removePixels(clearArea);
if (hitRegion->path().isEmpty())
- removeHitRegion(hitRegion.get());
+ toBeRemoved.add(hitRegion);
}
+
+ itEnd = toBeRemoved.rend();
+ for (HitRegionIterator it = toBeRemoved.rbegin(); it != itEnd; ++it)
+ removeHitRegion(it->get());
}
void HitRegionManager::removeAllHitRegions()