Double free in ~SkPictureData()

On subpicture parsing failures we clean up all fPictureRefs entries *and* delete the array itself. But the destructor also deletes the array => double free. Alternatively, we can set fPictureCount to the number of successfully parsed pictures such that the destructor handles all the cleanup. BUG=515228 R=reed@google.com,mtklein@google.com Review URL: https://codereview.chromium.org/1264503011
2015-07-29 14:40:06 -07:00 · 2015-07-29 14:40:06 -07:00 · 5479d3b569
commit 5479d3b569
parent 3ac6b7551d
1 changed files with 6 additions and 18 deletions
--- a/src/core/SkPictureData.cpp
+++ b/src/core/SkPictureData.cpp
@ -373,26 +373,14 @@ bool SkPictureData::parseStreamTag(SkStream* stream,
            }
        } break;
        case SK_PICT_PICTURE_TAG: {
-            fPictureCount = size;
-            fPictureRefs = SkNEW_ARRAY(const SkPicture*, fPictureCount);
-            bool success = true;
-            int i = 0;
-            for ( ; i < fPictureCount; i++) {
+            fPictureCount = 0;
+            fPictureRefs = SkNEW_ARRAY(const SkPicture*, size);
+            for (uint32_t i = 0; i < size; i++) {
                fPictureRefs[i] = SkPicture::CreateFromStream(stream, proc);
-                if (NULL == fPictureRefs[i]) {
-                    success = false;
-                    break;
+                if (!fPictureRefs[i]) {
+                    return false;
                }
-            }
-            if (!success) {
-                // Delete all of the pictures that were already created (up to but excluding i):
-                for (int j = 0; j < i; j++) {
-                    fPictureRefs[j]->unref();
-                }
-                // Delete the array
-                SkDELETE_ARRAY(fPictureRefs);
-                fPictureCount = 0;
-                return false;
+                fPictureCount++;
            }
        } break;
        case SK_PICT_BUFFER_SIZE_TAG: {