diff options
author | junov@chromium.org <junov@chromium.org@bbb929c8-8fbe-4397-9dbb-9b2b20218538> | 2014-06-23 17:17:30 +0000 |
---|---|---|
committer | junov@chromium.org <junov@chromium.org@bbb929c8-8fbe-4397-9dbb-9b2b20218538> | 2014-06-23 17:17:30 +0000 |
commit | 82e6cc15658595690793a0573efa3258484c1c07 (patch) | |
tree | 85612b8cc1f94cd0f9f1d5edc4d6150a252012db | |
parent | fb1e9829a7d2bcd08193c31c2027878860d50ba5 (diff) | |
download | chromium-82e6cc15658595690793a0573efa3258484c1c07.tar.gz chromium-82e6cc15658595690793a0573efa3258484c1c07.tar.bz2 chromium-82e6cc15658595690793a0573efa3258484c1c07.zip |
Fix memory use after free in HitRegionManager::removeHitRegionsInRect
Items were being removed from a list while iterating over the list,
which is unsafe.
BUG=387728
TEST=ASAN, layout test fast/canvas/canvas-hit-regions-clear-test.html
Review URL: https://codereview.chromium.org/336233003
git-svn-id: svn://svn.chromium.org/blink/trunk@176764 bbb929c8-8fbe-4397-9dbb-9b2b20218538
-rw-r--r-- | Source/core/html/canvas/HitRegion.cpp | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/Source/core/html/canvas/HitRegion.cpp b/Source/core/html/canvas/HitRegion.cpp index d436f45a87ca..276e9b7ef2d1 100644 --- a/Source/core/html/canvas/HitRegion.cpp +++ b/Source/core/html/canvas/HitRegion.cpp @@ -102,13 +102,18 @@ void HitRegionManager::removeHitRegionsInRect(const FloatRect& rect, const Affin clearArea.transform(ctm); HitRegionIterator itEnd = m_hitRegionList.rend(); + HitRegionList toBeRemoved; for (HitRegionIterator it = m_hitRegionList.rbegin(); it != itEnd; ++it) { RefPtrWillBeRawPtr<HitRegion> hitRegion = *it; hitRegion->removePixels(clearArea); if (hitRegion->path().isEmpty()) - removeHitRegion(hitRegion.get()); + toBeRemoved.add(hitRegion); } + + itEnd = toBeRemoved.rend(); + for (HitRegionIterator it = toBeRemoved.rbegin(); it != itEnd; ++it) + removeHitRegion(it->get()); } void HitRegionManager::removeAllHitRegions() |