Fix free-after-free bug in ExternalStreamingStream::ResetToBookmark.

author vogelheim <vogelheim@chromium.org>

Fri, 29 May 2015 12:19:40 +0000 (05:19 -0700)

committer Commit bot <commit-bot@chromium.org>

Fri, 29 May 2015 12:19:51 +0000 (12:19 +0000)
author vogelheim <vogelheim@chromium.org>
Fri, 29 May 2015 12:19:40 +0000 (05:19 -0700)
committer Commit bot <commit-bot@chromium.org>
Fri, 29 May 2015 12:19:51 +0000 (12:19 +0000)
diff --git a/src/scanner-character-streams.cc b/src/scanner-character-streams.cc

index 40d2abc..bc5cde4 100644 (file)
--- a/src/scanner-character-streams.cc
+++ b/src/scanner-character-streams.cc
@@ -434,10 +434,14 @@ void ExternalStreamingStream::ResetToBookmark() {
  
    pos_ = bookmark_;
  
-  // current_data_ can point to bookmark_data_'s buffer.
-  current_data_ = bookmark_data_.start();
+  // bookmark_data_* => current_data_*
+  // (current_data_ assumes ownership of its memory.)
+  uint8_t* data = new uint8_t[bookmark_data_.length()];
    current_data_offset_ = 0;
    current_data_length_ = bookmark_data_.length();
+  CopyCharsUnsigned(data, bookmark_data_.begin(), bookmark_data_.length());
+  delete[] current_data_;
+  current_data_ = data;
  
    // bookmark_buffer_ needs to be copied to buffer_.
    CopyCharsUnsigned(buffer_, bookmark_buffer_.begin(),
author	vogelheim <vogelheim@chromium.org>
	Fri, 29 May 2015 12:19:40 +0000 (05:19 -0700)
committer	Commit bot <commit-bot@chromium.org>
	Fri, 29 May 2015 12:19:51 +0000 (12:19 +0000)