delta/qt5/qtwebkit.git - code.qt.io: qt/qtwebkit.git

diff options

author	Bem Jones-Bey <bjonesbe@adobe.com>	2014-02-28 19:19:03 +0000
committer	Konstantin Tokarev <annulen@yandex.ru>	2016-02-01 20:59:31 +0000
commit	999ff247a5a0ca31ba21d24933789541ca790fce (patch)
tree	d891ba83334897acc9546e6dc9cf67fadf7d7b6a /Source/JavaScriptCore/bytecode/StructureSet.cpp
parent	bccaed38b0c7aacac12e3140ed571aa2a8fadd87 (diff)
download	qtwebkit-999ff247a5a0ca31ba21d24933789541ca790fce.tar.gz

Properly clear m_logicallyLastRun to remove use-after-free possibility

https://bugs.webkit.org/show_bug.cgi?id=129489 Reviewed by David Hyatt. A use-after-free issue was caught in Blink because m_logicallyLastRun is not cleared when the item it points to is deleted. Clearing it turns the use-after-free into a segfault, and prevents any future use-after-frees from happening. * platform/text/BidiRunList.h: (WebCore::BidiRunList<Run>::deleteRuns): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@164876 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: Ia76a5723ea649e7a3609fc26025dd5bbd96f3302 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>

Diffstat (limited to 'Source/JavaScriptCore/bytecode/StructureSet.cpp')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: