CanvasRenderingContext2D::setFont argument may reference destroyed ob…

…ject https://bugs.webkit.org/show_bug.cgi?id=106385 Reviewed by Abhishek Arya. No new tests: covered by fast/canvas/canvas-measureText.html This is a re-write of r138994. Fixing bug in setFont instead of workaround at call site. * html/canvas/CanvasRenderingContext2D.cpp: (WebCore::CanvasRenderingContext2D::setFont): (WebCore::CanvasRenderingContext2D::accessFont): Canonical link: https://commits.webkit.org/124595@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@139144 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Jan 9, 2013 · 599554584390deab0d42570eaff09b2a64db2641 · 5995545
1 parent 0b6c3f6
commit 599554584390deab0d42570eaff09b2a64db2641
Showing 2 changed files with 20 additions and 8 deletions.
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2013-01-08  Justin Novosad  <junov@google.com>
+
+        CanvasRenderingContext2D::setFont argument may reference destroyed object
+        https://bugs.webkit.org/show_bug.cgi?id=106385
+
+        Reviewed by Abhishek Arya.
+
+        No new tests: covered by fast/canvas/canvas-measureText.html
+
+        This is a re-write of r138994.  Fixing bug in setFont instead of
+        workaround at call site. 
+
+        * html/canvas/CanvasRenderingContext2D.cpp:
+        (WebCore::CanvasRenderingContext2D::setFont):
+        (WebCore::CanvasRenderingContext2D::accessFont):
+
 2013-01-08  David Grogan  <dgrogan@chromium.org>
 
         IndexedDB: Provide LevelDB with IDBEnv instead of Env::Default

diff --git a/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp b/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp
@@ -2088,8 +2088,9 @@ void CanvasRenderingContext2D::setFont(const String& newFont)
         return;
 
     // The parse succeeded.
+    String newFontSafeCopy(newFont); // Create a string copy since newFont can be deleted inside realizeSaves.
     realizeSaves();
-    modifiableState().m_unparsedFont = newFont;
+    modifiableState().m_unparsedFont = newFontSafeCopy;
 
     // Map the <canvas> font into the text style. If the font uses keywords like larger/smaller, these will work
     // relative to the canvas.
@@ -2373,13 +2374,8 @@ const Font& CanvasRenderingContext2D::accessFont()
 {
     canvas()->document()->updateStyleIfNeeded();
 
-    if (!state().m_realizedFont) {
-        // Create temporary string object to hold ref count in case
-        // state().m_unparsedFont in unreffed by call to realizeSaves in
-        // setFont.
-        String unparsedFont(state().m_unparsedFont);
-        setFont(unparsedFont);
-    }
+    if (!state().m_realizedFont)
+        setFont(state().m_unparsedFont);
     return state().m_font;
 }