Skip to content
  • commit-queue@webkit.org's avatar
    use after free in WebCore::SVGTRefElement::updateReferencedText · 33937746
    commit-queue@webkit.org authored
    https://bugs.webkit.org/show_bug.cgi?id=67555
    
    Patch by Rob Buis <rbuis@rim.com> on 2011-09-23
    Reviewed by Nikolas Zimmermann.
    
    Source/WebCore:
    
    Event listeners can outlive the tref element that created them when
    the tref is cloned and then garbage collected, causing a dangling pointer to the
    tref. To fix this do not install event listener until the tref is inserted into the document.
    
    Test: svg/custom/tref-clone-crash.html
    
    * svg/SVGTRefElement.cpp:
    (WebCore::SVGTRefElement::svgAttributeChanged):
    (WebCore::SVGTRefElement::insertedIntoDocument):
    * svg/SVGTRefElement.h:
    
    LayoutTests:
    
    Test that cloned tref does not cause a crash.
    
    * svg/custom/tref-clone-crash-expected.txt: Added.
    * svg/custom/tref-clone-crash.html: Added.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95791 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    33937746