From c7d3e64bc3447054f4c52758f4c016949bf00827 Mon Sep 17 00:00:00 2001
From: vogelheim <vogelheim@chromium.org>
Date: Fri, 29 May 2015 05:19:40 -0700
Subject: [PATCH] Fix free-after-free bug in
 ExternalStreamingStream::ResetToBookmark.

R=jochen@chromium.org
BUG=chromium:470930
LOG=N

Review URL: https://codereview.chromium.org/1156103015

Cr-Commit-Position: refs/heads/master@{#28700}
---
 src/scanner-character-streams.cc | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/scanner-character-streams.cc b/src/scanner-character-streams.cc
index 40d2abc..bc5cde4 100644
--- a/src/scanner-character-streams.cc
+++ b/src/scanner-character-streams.cc
@@ -434,10 +434,14 @@ void ExternalStreamingStream::ResetToBookmark() {
 
   pos_ = bookmark_;
 
-  // current_data_ can point to bookmark_data_'s buffer.
-  current_data_ = bookmark_data_.start();
+  // bookmark_data_* => current_data_*
+  // (current_data_ assumes ownership of its memory.)
+  uint8_t* data = new uint8_t[bookmark_data_.length()];
   current_data_offset_ = 0;
   current_data_length_ = bookmark_data_.length();
+  CopyCharsUnsigned(data, bookmark_data_.begin(), bookmark_data_.length());
+  delete[] current_data_;
+  current_data_ = data;
 
   // bookmark_buffer_ needs to be copied to buffer_.
   CopyCharsUnsigned(buffer_, bookmark_buffer_.begin(),
-- 
2.7.4