1. 31 Jul, 2012 1 commit
    • macpherson@chromium.org's avatar
      Heap-use-after-free in WebCore::StyleResolver::loadPendingImage · 44d5ee57
      macpherson@chromium.org authored
      https://bugs.webkit.org/show_bug.cgi?id=92606
      
      Reviewed by Abhishek Arya.
      
      Source/WebCore:
      
      Changes StyleResolver's m_pendingImageProperties set to a map, such that for each property we keep
      a RefPtr to the CSSValue used to set that property. This ensures that CSSValues are not freed before
      they are needed by loadPendingImage.
      
      Test: fast/css/variables/deferred-image-load-from-variable.html
      
      * css/StyleResolver.cpp:
      * css/StyleResolver.h:
      
      LayoutTests:
      
      Exercises the codepath where an image is loaded using a url specified via a variable.
      
      * fast/css/variables/deferred-image-load-from-variable-expected.txt: Added.
      * fast/css/variables/deferred-image-load-from-variable.html: Added.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124258 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      44d5ee57