Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use a resource after Free in OffscreenCanvasRC::DrawTextInternal()
In OffscreenCanvasRenderingContext::DrawTextInternal(), |paint_canvas| can be freed in the draw command in BaseRenderingContext. We then use the |paint_canvas| causes the security bug that we are using a resource after it's freed. Looking at how |paint_canvas| is used in the method DrawTextInternal(), restore a cleared |paint_canvas| is not really necessary. So I removed it's only restored if the canvas is not cleared (i.e. canvas is not freed). Bug: 1111737 TBR=fserb@chromium.org (cherry picked from commit 15c4ec7) Change-Id: I699b855434f7ddfbc678d2a9cfe25fe4938a798a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2358574 Commit-Queue: Yi Xu <yiyix@chromium.org> Reviewed-by: Fernando Serboncini <fserb@chromium.org> Reviewed-by: Aaron Krajeski <aaronhk@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#802508} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2388264 Reviewed-by: Yi Xu <yiyix@chromium.org> Cr-Commit-Position: refs/branch-heads/4183@{#1732} Cr-Branched-From: 740e9e8-refs/heads/master@{#782793}
- Loading branch information