[webkit-changes] [280222] releases/WebKitGTK/webkit-2.32/Source/WebCore

Fri, 23 Jul 2021 01:09:07 -0700

Title: [280222] releases/WebKitGTK/webkit-2.32/Source/WebCore
Revision
280222
Author
[email protected]
Date
2021-07-23 01:08:09 -0700 (Fri, 23 Jul 2021)

Log Message

Merge r273752 - Crash under KeyframeEffect::setTarget()
https://bugs.webkit.org/show_bug.cgi?id=222591
<rdar://problem/74281295>

Reviewed by David Kilzer.

The Styleable returned by targetStyleable() holds a reference to the Element that at
this point is m_target (assuming it's non-null). However, once we set the new value
for m_target, if the only reference to the original target was held by this KeyframeEffect,
then that element will be deallocated and by the time we call didChangeTargetStyleable()
it will be gone.

To address, we create a RefPtr<Element> in the scope of KeyframeEffect::setTarget()
protecting the Styleable's element while didChangeTargetStyleable() is called.

* animation/KeyframeEffect.cpp:
(WebCore::KeyframeEffect::setTarget):

Modified Paths

Diff

Modified: releases/WebKitGTK/webkit-2.32/Source/WebCore/ChangeLog (280221 => 280222)


--- releases/WebKitGTK/webkit-2.32/Source/WebCore/ChangeLog	2021-07-23 08:03:58 UTC (rev 280221)
+++ releases/WebKitGTK/webkit-2.32/Source/WebCore/ChangeLog	2021-07-23 08:08:09 UTC (rev 280222)
@@ -1,3 +1,23 @@
+2021-03-02  Antoine Quint  <[email protected]>
+
+        Crash under KeyframeEffect::setTarget()
+        https://bugs.webkit.org/show_bug.cgi?id=222591
+        <rdar://problem/74281295>
+
+        Reviewed by David Kilzer.
+
+        The Styleable returned by targetStyleable() holds a reference to the Element that at
+        this point is m_target (assuming it's non-null). However, once we set the new value
+        for m_target, if the only reference to the original target was held by this KeyframeEffect,
+        then that element will be deallocated and by the time we call didChangeTargetStyleable()
+        it will be gone.
+
+        To address, we create a RefPtr<Element> in the scope of KeyframeEffect::setTarget()
+        protecting the Styleable's element while didChangeTargetStyleable() is called.
+
+        * animation/KeyframeEffect.cpp:
+        (WebCore::KeyframeEffect::setTarget):
+
 2021-03-14  Rob Buis  <[email protected]>
 
         Cancel image loader events after first dispatch

Modified: releases/WebKitGTK/webkit-2.32/Source/WebCore/animation/KeyframeEffect.cpp (280221 => 280222)


--- releases/WebKitGTK/webkit-2.32/Source/WebCore/animation/KeyframeEffect.cpp	2021-07-23 08:03:58 UTC (rev 280221)
+++ releases/WebKitGTK/webkit-2.32/Source/WebCore/animation/KeyframeEffect.cpp	2021-07-23 08:08:09 UTC (rev 280222)
@@ -1162,6 +1162,9 @@
         return;
 
     auto& previousTargetStyleable = targetStyleable();
+    RefPtr<Element> protector;
+    if (previousTargetStyleable)
+        protector = makeRefPtr(previousTargetStyleable->element);
     m_target = WTFMove(newTarget);
     didChangeTargetStyleable(previousTargetStyleable);
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to