From 82e6cc15658595690793a0573efa3258484c1c07 Mon Sep 17 00:00:00 2001
From: "junov@chromium.org"
 <junov@chromium.org@bbb929c8-8fbe-4397-9dbb-9b2b20218538>
Date: Mon, 23 Jun 2014 17:17:30 +0000
Subject: Fix memory use after free in HitRegionManager::removeHitRegionsInRect

Items were being removed from a list while iterating over the list,
which is unsafe.

BUG=387728
TEST=ASAN, layout test fast/canvas/canvas-hit-regions-clear-test.html

Review URL: https://codereview.chromium.org/336233003

git-svn-id: svn://svn.chromium.org/blink/trunk@176764 bbb929c8-8fbe-4397-9dbb-9b2b20218538
---
 Source/core/html/canvas/HitRegion.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Source/core/html/canvas/HitRegion.cpp b/Source/core/html/canvas/HitRegion.cpp
index d436f45a87ca..276e9b7ef2d1 100644
--- a/Source/core/html/canvas/HitRegion.cpp
+++ b/Source/core/html/canvas/HitRegion.cpp
@@ -102,13 +102,18 @@ void HitRegionManager::removeHitRegionsInRect(const FloatRect& rect, const Affin
     clearArea.transform(ctm);
 
     HitRegionIterator itEnd = m_hitRegionList.rend();
+    HitRegionList toBeRemoved;
 
     for (HitRegionIterator it = m_hitRegionList.rbegin(); it != itEnd; ++it) {
         RefPtrWillBeRawPtr<HitRegion> hitRegion = *it;
         hitRegion->removePixels(clearArea);
         if (hitRegion->path().isEmpty())
-            removeHitRegion(hitRegion.get());
+            toBeRemoved.add(hitRegion);
     }
+
+    itEnd = toBeRemoved.rend();
+    for (HitRegionIterator it = toBeRemoved.rbegin(); it != itEnd; ++it)
+        removeHitRegion(it->get());
 }
 
 void HitRegionManager::removeAllHitRegions()
-- 
cgit v1.2.3