Issue 611669 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	----
Closed:	May 2016
Cc:	kouhei@chromium.org tzik@chromium.org kojii@chromium.org e...@chromium.org style-bugs@google.com
Components:	Blink>CSS Blink>Fonts
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Bug

Font caches in font/css may return incorrect fonts

Project Member Reported by tzik@chromium.org, May 13 2016

Issue description

CSSFontFaceSource and CSSSegmentedFontFace [2] have its own font caches as their member.
They are intended to map FontCacheKey to their font data, however, they use a hash value of the FontCacheKey instance for the HashMap key instead of the FontCacheKey itself. That may return incorrect font data on a hash collision, and may also cause an assertion failure if a hash value is an invalid value for HashMap key (i.e. 0 and -1).

[1]: https://chromium.googlesource.com/chromium/src/+/8839774eace3a4b0427c531d6f3ce8a2bfe6552a/third_party/WebKit/Source/core/css/CSSFontFaceSource.h#65
[2]: https://chromium.googlesource.com/chromium/src/+/8839774eace3a4b0427c531d6f3ce8a2bfe6552a/third_party/WebKit/Source/core/css/CSSSegmentedFontFace.h#85

Project Member

Comment 1 by bugdroid1@chromium.org, May 14 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cf88b677e190c6b306b9721a267ab55c4e869e14

commit cf88b677e190c6b306b9721a267ab55c4e869e14
Author: tzik <tzik@chromium.org>
Date: Sat May 14 20:30:43 2016

Fix FontCacheKey-keyed HashMap usage in core/css

HashMap to cache fonts in core/css associates FontCacheKey, however they use
hashed value of FontCacheKey. That causes incorrect cache hit or assertion
failure on hash collision case or on 0 or -1 hash value.

BUG= 611669 

Review-Url: https://codereview.chromium.org/1973153004
Cr-Commit-Position: refs/heads/master@{#393744}

[modify] https://crrev.com/cf88b677e190c6b306b9721a267ab55c4e869e14/third_party/WebKit/Source/core/core.gypi
[modify] https://crrev.com/cf88b677e190c6b306b9721a267ab55c4e869e14/third_party/WebKit/Source/core/css/CSSFontFaceSource.cpp
[modify] https://crrev.com/cf88b677e190c6b306b9721a267ab55c4e869e14/third_party/WebKit/Source/core/css/CSSFontFaceSource.h
[add] https://crrev.com/cf88b677e190c6b306b9721a267ab55c4e869e14/third_party/WebKit/Source/core/css/CSSFontFaceSourceTest.cpp
[modify] https://crrev.com/cf88b677e190c6b306b9721a267ab55c4e869e14/third_party/WebKit/Source/core/css/CSSSegmentedFontFace.cpp
[modify] https://crrev.com/cf88b677e190c6b306b9721a267ab55c4e869e14/third_party/WebKit/Source/core/css/CSSSegmentedFontFace.h

Comment 2 by tzik@chromium.org, May 17 2016

Status: Fixed (was: Available)

►

Issue 611669 link

Issue metadata

Font caches in font/css may return incorrect fonts

Issue description

Comment 1 by bugdroid1@chromium.org, May 14 2016

Comment 1 Deleted

Comment 2 by tzik@chromium.org, May 17 2016

Comment 2 Deleted

Sign in to add a comment