Skip to content

Double free / use-after-free of static FcPattern in FontPlatformDataFreeType::create #54346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
webkit-commit-queue merged 1 commit into from
Nov 24, 2025
Merged

Double free / use-after-free of static FcPattern in FontPlatformDataFreeType::create #54346

webkit-commit-queue merged 1 commit into from
Nov 24, 2025

Conversation

@mcatanzaro
Copy link
Contributor

@mcatanzaro mcatanzaro commented Nov 21, 2025
edited by webkit-early-warning-system
Loading

d4f46e5

Double free / use-after-free of static FcPattern in FontPlatformDataFreeType::create
https://bugs.webkit.org/show_bug.cgi?id=302858

Reviewed by Carlos Garcia Campos.

Here we adopt a reference that we do not own. Well, we sort of own it,
in the static local variable, but we need to *continue* owning it and
therefore must not pass ownership to the FontPlatformData constructor.

So, remove the adoptRef(). A RefPtr will be implicitly created,
increasing the ref count on the FcPattern, as is required.

(Note this FcPattern will be leaked, but that's OK because it's global
data. The ref count should be 1 at program termination.)

Canonical link: https://commits.webkit.org/303513@main

247439b

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ✅ 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🧪 api-mac-debug ✅ 🛠 wpe-cairo
✅ 🧪 api-ios ✅ 🧪 mac-wk1 ✅ 🛠 gtk
✅ 🛠 vision ✅ 🧪 mac-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision-sim ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 api-gtk
✅ 🛠 🧪 merge ✅ 🧪 vision-wk2 ✅ 🧪 mac-wk2-stress ✅ 🛠 playstation
✅ 🛠 tv ✅ 🧪 mac-intel-wk2
✅ 🛠 tv-sim ✅ 🛠 mac-safer-cpp
✅ 🛠 watch
✅ 🛠 watch-sim

@mcatanzaro mcatanzaro requested a review from a team as a code owner November 21, 2025 21:50
@mcatanzaro mcatanzaro self-assigned this Nov 21, 2025
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Nov 21, 2025
edited
Loading

EWS run on current version of this PR (hash 247439b)

Details

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ✅ 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🧪 api-mac-debug ✅ 🛠 wpe-cairo
✅ 🧪 api-ios ✅ 🧪 mac-wk1 ✅ 🛠 gtk
✅ 🛠 vision ✅ 🧪 mac-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision-sim ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 api-gtk
✅ 🛠 🧪 merge ✅ 🧪 vision-wk2 ✅ 🧪 mac-wk2-stress ✅ 🛠 playstation
✅ 🛠 tv ✅ 🧪 mac-intel-wk2
✅ 🛠 tv-sim ✅ 🛠 mac-safer-cpp
✅ 🛠 watch
✅ 🛠 watch-sim

@mcatanzaro mcatanzaro added Text For bugs in text layout and rendering, including international text support. GLib Suggested Backport - 2.50 Suggest this merge request be backported to webkitglib/2.50 branch labels Nov 21, 2025
@mcatanzaro mcatanzaro added the merge-queue Applied to send a pull request to merge-queue label Nov 24, 2025
@mcatanzaro
Double free / use-after-free of static FcPattern in FontPlatformDataF…
d4f46e5 
…reeType::create

https://bugs.webkit.org/show_bug.cgi?id=302858

Reviewed by Carlos Garcia Campos.

Here we adopt a reference that we do not own. Well, we sort of own it,
in the static local variable, but we need to *continue* owning it and
therefore must not pass ownership to the FontPlatformData constructor.

So, remove the adoptRef(). A RefPtr will be implicitly created,
increasing the ref count on the FcPattern, as is required.

(Note this FcPattern will be leaked, but that's OK because it's global
data. The ref count should be 1 at program termination.)

Canonical link: https://commits.webkit.org/303513@main
@webkit-commit-queue webkit-commit-queue force-pushed the eng/Double-free-use-after-free-of-static-FcPattern-in-FontPlatformDataFreeType-create branch from 247439b to d4f46e5 Compare November 24, 2025 22:14
@webkit-commit-queue
Copy link
Collaborator

webkit-commit-queue commented Nov 24, 2025

Committed 303513@main (d4f46e5): https://commits.webkit.org/303513@main

Reviewed commits have been landed. Closing PR #54346 and removing active labels.

@webkit-commit-queue webkit-commit-queue merged commit d4f46e5 into WebKit:main Nov 24, 2025
@webkit-commit-queue webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label Nov 24, 2025
@aperezdc
Copy link
Contributor

aperezdc commented Nov 25, 2025

Backported into webkitglib/2.50 as commit 7a2fbd4

@aperezdc aperezdc removed the GLib Suggested Backport - 2.50 Suggest this merge request be backported to webkitglib/2.50 branch label Nov 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aperezdc aperezdc aperezdc left review comments

@carlosgcampos carlosgcampos carlosgcampos approved these changes

Assignees

@mcatanzaro mcatanzaro

Labels

Text For bugs in text layout and rendering, including international text support.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mcatanzaro @webkit-early-warning-system @webkit-commit-queue @aperezdc @carlosgcampos