Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 777fe1501522cc907234a327b306b3cafffb1501
https://github.com/WebKit/WebKit/commit/777fe1501522cc907234a327b306b3cafffb1501
Author: Chirag M Shah <[email protected]>
Date: 2023-05-22 (Mon, 22 May 2023)
Changed paths:
A
LayoutTests/svg/animations/svg-element-attribute-changed-crash-expected.txt
A LayoutTests/svg/animations/svg-element-attribute-changed-crash.html
M Source/WebCore/svg/properties/SVGAnimatedProperty.cpp
Log Message:
-----------
Fix heap use-after-free in Update::addSVGRendererUpdate
https://bugs.webkit.org/show_bug.cgi?id=254281
rdar://107052707
Reviewed by Ryosuke Niwa.
Update::addSVGRendererUpdate can end up removing the SVGElement from
m_roots, which can result in SVGElement being deleted when an attribute
change happens. This change prevents that by protecting the SVGElement
using a RefPtr.
* LayoutTests/svg/animations/svg-element-attribute-changed-crash-expected.txt:
Added.
* LayoutTests/svg/animations/svg-element-attribute-changed-crash.html: Added.
* Source/WebCore/svg/properties/SVGAnimatedProperty.cpp:
(WebCore::SVGAnimatedProperty::commitPropertyChange):
Originally-landed-as: 259548.475@safari-7615-branch (aaa1c998206d).
rdar://107052707
Canonical link: https://commits.webkit.org/264355@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
