• macpherson@chromium.org's avatar
    Heap-use-after-free in WebCore::StyleResolver::loadPendingImage · 44d5ee57
    macpherson@chromium.org authored
    https://bugs.webkit.org/show_bug.cgi?id=92606
    
    Reviewed by Abhishek Arya.
    
    Source/WebCore:
    
    Changes StyleResolver's m_pendingImageProperties set to a map, such that for each property we keep
    a RefPtr to the CSSValue used to set that property. This ensures that CSSValues are not freed before
    they are needed by loadPendingImage.
    
    Test: fast/css/variables/deferred-image-load-from-variable.html
    
    * css/StyleResolver.cpp:
    * css/StyleResolver.h:
    
    LayoutTests:
    
    Exercises the codepath where an image is loaded using a url specified via a variable.
    
    * fast/css/variables/deferred-image-load-from-variable-expected.txt: Added.
    * fast/css/variables/deferred-image-load-from-variable.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124258 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    44d5ee57
deferred-image-load-from-variable-expected.txt 46 Bytes