Heap-use-after-free in WebCore::StyleResolver::loadPendingImage

https://bugs.webkit.org/show_bug.cgi?id=92606

Reviewed by Abhishek Arya.

Source/WebCore:

Changes StyleResolver's m_pendingImageProperties set to a map, such that for each property we keep
a RefPtr to the CSSValue used to set that property. This ensures that CSSValues are not freed before
they are needed by loadPendingImage.

Test: fast/css/variables/deferred-image-load-from-variable.html

* css/StyleResolver.cpp:
* css/StyleResolver.h:

LayoutTests:

Exercises the codepath where an image is loaded using a url specified via a variable.

* fast/css/variables/deferred-image-load-from-variable-expected.txt: Added.
* fast/css/variables/deferred-image-load-from-variable.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124258 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 27ae0acb
2012-07-31 Luke Macpherson <macpherson@chromium.org>
Heap-use-after-free in WebCore::StyleResolver::loadPendingImage
https://bugs.webkit.org/show_bug.cgi?id=92606
Reviewed by Abhishek Arya.
Exercises the codepath where an image is loaded using a url specified via a variable.
* fast/css/variables/deferred-image-load-from-variable-expected.txt: Added.
* fast/css/variables/deferred-image-load-from-variable.html: Added.
2012-07-31 Peter Kasting <pkasting@google.com>
[Chromium] Rebaselines.
<!DOCTYPE html>
<script>
if (window.testRunner) {
testRunner.dumpAsText();
internals.settings.setCSSVariablesEnabled(true);
}
</script>
<style>
div {
-webkit-var-a: url(1);
-webkit-mask: -webkit-var(a);
}
</style>
<div></div>
This test is successful if it does not crash.
2012-07-31 Luke Macpherson <macpherson@chromium.org>
Heap-use-after-free in WebCore::StyleResolver::loadPendingImage
https://bugs.webkit.org/show_bug.cgi?id=92606
Reviewed by Abhishek Arya.
Changes StyleResolver's m_pendingImageProperties set to a map, such that for each property we keep
a RefPtr to the CSSValue used to set that property. This ensures that CSSValues are not freed before
they are needed by loadPendingImage.
Test: fast/css/variables/deferred-image-load-from-variable.html
* css/StyleResolver.cpp:
* css/StyleResolver.h:
2012-07-31 Chris Rogers <crogers@google.com>
Add stub implementation for MediaStreamAudioSourceNode
......@@ -4464,14 +4464,14 @@ PassRefPtr<StyleImage> StyleResolver::cachedOrPendingFromValue(CSSPropertyID pro
{
RefPtr<StyleImage> image = value->cachedOrPendingImage();
if (image && image->isPendingImage())
m_pendingImageProperties.add(property);
m_pendingImageProperties.set(property, value);
return image.release();
}
PassRefPtr<StyleImage> StyleResolver::generatedOrPendingFromValue(CSSPropertyID property, CSSImageGeneratorValue* value)
{
if (value->isPending()) {
m_pendingImageProperties.add(property);
m_pendingImageProperties.set(property, value);
return StylePendingImage::create(value);
}
return StyleGeneratedImage::create(value);
......@@ -4482,7 +4482,7 @@ PassRefPtr<StyleImage> StyleResolver::setOrPendingFromValue(CSSPropertyID proper
{
RefPtr<StyleImage> image = value->cachedOrPendingImageSet(document());
if (image && image->isPendingImage())
m_pendingImageProperties.add(property);
m_pendingImageProperties.set(property, value);
return image.release();
}
#endif
......@@ -5539,8 +5539,8 @@ void StyleResolver::loadPendingImages()
if (m_pendingImageProperties.isEmpty())
return;
HashSet<CSSPropertyID>::const_iterator end = m_pendingImageProperties.end();
for (HashSet<CSSPropertyID>::const_iterator it = m_pendingImageProperties.begin(); it != end; ++it) {
PendingImagePropertyMap::const_iterator::Keys end = m_pendingImageProperties.end().keys();
for (PendingImagePropertyMap::const_iterator::Keys it = m_pendingImageProperties.begin().keys(); it != end; ++it) {
CSSPropertyID currentProperty = *it;
switch (currentProperty) {
......@@ -5645,7 +5645,7 @@ void StyleResolver::reportMemoryUsage(MemoryObjectInfo* memoryObjectInfo) const
info.addVector(m_matchedRules);
// FIXME: Instrument StaticCSSRuleList and add m_ruleList here.
info.addHashSet(m_pendingImageProperties);
info.addHashMap(m_pendingImageProperties);
info.addVector(m_viewportDependentMediaQueryResults);
info.addHashMap(m_styleRuleToCSSOMWrapperMap);
info.addHashSet(m_styleSheetCSSOMWrapperSet);
......
......@@ -470,7 +470,8 @@ private:
RefPtr<StaticCSSRuleList> m_ruleList;
HashSet<CSSPropertyID> m_pendingImageProperties;
typedef HashMap<CSSPropertyID, RefPtr<CSSValue> > PendingImagePropertyMap;
PendingImagePropertyMap m_pendingImageProperties;
OwnPtr<MediaQueryEvaluator> m_medium;
RefPtr<RenderStyle> m_rootDefaultStyle;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment