From: commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue, 7 Feb 2012 19:46:49 +0000 (+0000)
Subject: [Chromium] Memory bug during occlusion tracking if Vector::append() needs to realloca... 
X-Git-Tag: 070512121124~13569
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=0f5417754f2fa4a0336d5f1a660636511207ec9a;p=profile%2Fivi%2Fwebkit-efl.git

[Chromium] Memory bug during occlusion tracking if Vector::append() needs to reallocate the buffer
https://bugs.webkit.org/show_bug.cgi?id=77996

Patch by Dana Jansens <danakj@chromium.org> on 2012-02-07
Reviewed by James Robinson.

We're holding onto the last element in the Vector and then calling
append(). If append() reallocates the Vector's buffer, the pointer
is no longer valid.

* platform/graphics/chromium/cc/CCLayerTreeHost.cpp:
(WebCore::enterTargetRenderSurface):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@106969 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index a2ff187..df499c9 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2012-02-07  Dana Jansens  <danakj@chromium.org>
+
+        [Chromium] Memory bug during occlusion tracking if Vector::append() needs to reallocate the buffer
+        https://bugs.webkit.org/show_bug.cgi?id=77996
+
+        Reviewed by James Robinson.
+
+        We're holding onto the last element in the Vector and then calling
+        append(). If append() reallocates the Vector's buffer, the pointer
+        is no longer valid.
+
+        * platform/graphics/chromium/cc/CCLayerTreeHost.cpp:
+        (WebCore::enterTargetRenderSurface):
+
 2012-02-07  Abhishek Arya  <inferno@chromium.org>
 
         Crash due to column style not updated on post block
diff --git a/Source/WebCore/platform/graphics/chromium/cc/CCLayerTreeHost.cpp b/Source/WebCore/platform/graphics/chromium/cc/CCLayerTreeHost.cpp
index 50d76a5..3c356ef 100644
--- a/Source/WebCore/platform/graphics/chromium/cc/CCLayerTreeHost.cpp
+++ b/Source/WebCore/platform/graphics/chromium/cc/CCLayerTreeHost.cpp
@@ -495,10 +495,10 @@ static void enterTargetRenderSurface(Vector<RenderSurfaceRegion>& stack, RenderS
         stack.append(RenderSurfaceRegion());
         stack.last().surface = newTarget;
     } else if (stack.last().surface != newTarget) {
-        const RenderSurfaceRegion& previous = stack.last();
         stack.append(RenderSurfaceRegion());
         stack.last().surface = newTarget;
-        stack.last().occludedInScreen = previous.occludedInScreen;
+        int lastIndex = stack.size() - 1;
+        stack[lastIndex].occludedInScreen = stack[lastIndex - 1].occludedInScreen;
     }
 }