Title: [124258] trunk
- Revision
- 124258
- Author
- [email protected]
- Date
- 2012-07-31 15:36:20 -0700 (Tue, 31 Jul 2012)
Log Message
Heap-use-after-free in WebCore::StyleResolver::loadPendingImage
https://bugs.webkit.org/show_bug.cgi?id=92606
Reviewed by Abhishek Arya.
Source/WebCore:
Changes StyleResolver's m_pendingImageProperties set to a map, such that for each property we keep
a RefPtr to the CSSValue used to set that property. This ensures that CSSValues are not freed before
they are needed by loadPendingImage.
Test: fast/css/variables/deferred-image-load-from-variable.html
* css/StyleResolver.cpp:
* css/StyleResolver.h:
LayoutTests:
Exercises the codepath where an image is loaded using a url specified via a variable.
* fast/css/variables/deferred-image-load-from-variable-expected.txt: Added.
* fast/css/variables/deferred-image-load-from-variable.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (124257 => 124258)
--- trunk/LayoutTests/ChangeLog 2012-07-31 22:34:18 UTC (rev 124257)
+++ trunk/LayoutTests/ChangeLog 2012-07-31 22:36:20 UTC (rev 124258)
@@ -1,3 +1,15 @@
+2012-07-31 Luke Macpherson <[email protected]>
+
+ Heap-use-after-free in WebCore::StyleResolver::loadPendingImage
+ https://bugs.webkit.org/show_bug.cgi?id=92606
+
+ Reviewed by Abhishek Arya.
+
+ Exercises the codepath where an image is loaded using a url specified via a variable.
+
+ * fast/css/variables/deferred-image-load-from-variable-expected.txt: Added.
+ * fast/css/variables/deferred-image-load-from-variable.html: Added.
+
2012-07-31 Peter Kasting <[email protected]>
[Chromium] Rebaselines.
Added: trunk/LayoutTests/fast/css/variables/deferred-image-load-from-variable-expected.txt (0 => 124258)
--- trunk/LayoutTests/fast/css/variables/deferred-image-load-from-variable-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/variables/deferred-image-load-from-variable-expected.txt 2012-07-31 22:36:20 UTC (rev 124258)
@@ -0,0 +1 @@
+This test is successful if it does not crash.
Added: trunk/LayoutTests/fast/css/variables/deferred-image-load-from-variable.html (0 => 124258)
--- trunk/LayoutTests/fast/css/variables/deferred-image-load-from-variable.html (rev 0)
+++ trunk/LayoutTests/fast/css/variables/deferred-image-load-from-variable.html 2012-07-31 22:36:20 UTC (rev 124258)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ internals.settings.setCSSVariablesEnabled(true);
+}
+</script>
+<style>
+div {
+ -webkit-var-a: url(1);
+ -webkit-mask: -webkit-var(a);
+}
+</style>
+<div></div>
+This test is successful if it does not crash.
Modified: trunk/Source/WebCore/ChangeLog (124257 => 124258)
--- trunk/Source/WebCore/ChangeLog 2012-07-31 22:34:18 UTC (rev 124257)
+++ trunk/Source/WebCore/ChangeLog 2012-07-31 22:36:20 UTC (rev 124258)
@@ -1,3 +1,19 @@
+2012-07-31 Luke Macpherson <[email protected]>
+
+ Heap-use-after-free in WebCore::StyleResolver::loadPendingImage
+ https://bugs.webkit.org/show_bug.cgi?id=92606
+
+ Reviewed by Abhishek Arya.
+
+ Changes StyleResolver's m_pendingImageProperties set to a map, such that for each property we keep
+ a RefPtr to the CSSValue used to set that property. This ensures that CSSValues are not freed before
+ they are needed by loadPendingImage.
+
+ Test: fast/css/variables/deferred-image-load-from-variable.html
+
+ * css/StyleResolver.cpp:
+ * css/StyleResolver.h:
+
2012-07-31 Chris Rogers <[email protected]>
Add stub implementation for MediaStreamAudioSourceNode
Modified: trunk/Source/WebCore/css/StyleResolver.cpp (124257 => 124258)
--- trunk/Source/WebCore/css/StyleResolver.cpp 2012-07-31 22:34:18 UTC (rev 124257)
+++ trunk/Source/WebCore/css/StyleResolver.cpp 2012-07-31 22:36:20 UTC (rev 124258)
@@ -4464,14 +4464,14 @@
{
RefPtr<StyleImage> image = value->cachedOrPendingImage();
if (image && image->isPendingImage())
- m_pendingImageProperties.add(property);
+ m_pendingImageProperties.set(property, value);
return image.release();
}
PassRefPtr<StyleImage> StyleResolver::generatedOrPendingFromValue(CSSPropertyID property, CSSImageGeneratorValue* value)
{
if (value->isPending()) {
- m_pendingImageProperties.add(property);
+ m_pendingImageProperties.set(property, value);
return StylePendingImage::create(value);
}
return StyleGeneratedImage::create(value);
@@ -4482,7 +4482,7 @@
{
RefPtr<StyleImage> image = value->cachedOrPendingImageSet(document());
if (image && image->isPendingImage())
- m_pendingImageProperties.add(property);
+ m_pendingImageProperties.set(property, value);
return image.release();
}
#endif
@@ -5539,8 +5539,8 @@
if (m_pendingImageProperties.isEmpty())
return;
- HashSet<CSSPropertyID>::const_iterator end = m_pendingImageProperties.end();
- for (HashSet<CSSPropertyID>::const_iterator it = m_pendingImageProperties.begin(); it != end; ++it) {
+ PendingImagePropertyMap::const_iterator::Keys end = m_pendingImageProperties.end().keys();
+ for (PendingImagePropertyMap::const_iterator::Keys it = m_pendingImageProperties.begin().keys(); it != end; ++it) {
CSSPropertyID currentProperty = *it;
switch (currentProperty) {
@@ -5645,7 +5645,7 @@
info.addVector(m_matchedRules);
// FIXME: Instrument StaticCSSRuleList and add m_ruleList here.
- info.addHashSet(m_pendingImageProperties);
+ info.addHashMap(m_pendingImageProperties);
info.addVector(m_viewportDependentMediaQueryResults);
info.addHashMap(m_styleRuleToCSSOMWrapperMap);
info.addHashSet(m_styleSheetCSSOMWrapperSet);
Modified: trunk/Source/WebCore/css/StyleResolver.h (124257 => 124258)
--- trunk/Source/WebCore/css/StyleResolver.h 2012-07-31 22:34:18 UTC (rev 124257)
+++ trunk/Source/WebCore/css/StyleResolver.h 2012-07-31 22:36:20 UTC (rev 124258)
@@ -470,7 +470,8 @@
RefPtr<StaticCSSRuleList> m_ruleList;
- HashSet<CSSPropertyID> m_pendingImageProperties;
+ typedef HashMap<CSSPropertyID, RefPtr<CSSValue> > PendingImagePropertyMap;
+ PendingImagePropertyMap m_pendingImageProperties;
OwnPtr<MediaQueryEvaluator> m_medium;
RefPtr<RenderStyle> m_rootDefaultStyle;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
