chromium_src.git - central chromium sources

diff options

author	mgiuca <mgiuca@chromium.org>	2016-03-14 17:56:57 -0700
committer	Commit bot <commit-bot@chromium.org>	2016-03-15 00:58:01 +0000
commit	7e551c12da627989bf8f31afd7b671279113d92d (patch)
tree	4b5c0f0750e4e2cc608ebb1393c51bb28f30aaf7 /breakpad
parent	afe8b19377eba0d66ce30c8753feee2e92fc767b (diff)
download	chromium_src-7e551c12da627989bf8f31afd7b671279113d92d.zip chromium_src-7e551c12da627989bf8f31afd7b671279113d92d.tar.gz chromium_src-7e551c12da627989bf8f31afd7b671279113d92d.tar.bz2

Fix use-after-free in gfx::Image.

ToImageSkia, ToUIImage and ToNSImage would insert an ImageRep into the map, then return the pointer to the ImageRep. If the map already contained a rep of that type, the new rep gets freed and the returned pointer is dangling. Adds a CHECK for this case so it will now crash cleanly. This should not happen, but it is evidently possible. This could mean that ToImageSkia is being called from two threads at the same time (which is bad, because gfx::Image is not thread safe). BUG=590882 Review URL: https://codereview.chromium.org/1773433002 Cr-Commit-Position: refs/heads/master@{#381141}

Diffstat (limited to 'breakpad')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: