Diff
Modified: branches/safari-536.28-branch/LayoutTests/ChangeLog (133234 => 133235)
--- branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-01 22:33:10 UTC (rev 133234)
+++ branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-01 22:45:24 UTC (rev 133235)
@@ -1,5 +1,21 @@
2012-11-01 Lucas Forschler <[email protected]>
+ Merge r124258
+
+ 2012-07-31 Luke Macpherson <[email protected]>
+
+ Heap-use-after-free in WebCore::StyleResolver::loadPendingImage
+ https://bugs.webkit.org/show_bug.cgi?id=92606
+
+ Reviewed by Abhishek Arya.
+
+ Exercises the codepath where an image is loaded using a url specified via a variable.
+
+ * fast/css/variables/deferred-image-load-from-variable-expected.txt: Added.
+ * fast/css/variables/deferred-image-load-from-variable.html: Added.
+
+2012-11-01 Lucas Forschler <[email protected]>
+
Merge r124156
2012-07-30 MORITA Hajime <[email protected]>
@@ -10651,3 +10667,4 @@
.
.
.
+.
Copied: branches/safari-536.28-branch/LayoutTests/fast/css/variables/deferred-image-load-from-variable-expected.txt (from rev 124258, trunk/LayoutTests/fast/css/variables/deferred-image-load-from-variable-expected.txt) (0 => 133235)
--- branches/safari-536.28-branch/LayoutTests/fast/css/variables/deferred-image-load-from-variable-expected.txt (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/css/variables/deferred-image-load-from-variable-expected.txt 2012-11-01 22:45:24 UTC (rev 133235)
@@ -0,0 +1 @@
+This test is successful if it does not crash.
Copied: branches/safari-536.28-branch/LayoutTests/fast/css/variables/deferred-image-load-from-variable.html (from rev 124258, trunk/LayoutTests/fast/css/variables/deferred-image-load-from-variable.html) (0 => 133235)
--- branches/safari-536.28-branch/LayoutTests/fast/css/variables/deferred-image-load-from-variable.html (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/css/variables/deferred-image-load-from-variable.html 2012-11-01 22:45:24 UTC (rev 133235)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ internals.settings.setCSSVariablesEnabled(true);
+}
+</script>
+<style>
+div {
+ -webkit-var-a: url(1);
+ -webkit-mask: -webkit-var(a);
+}
+</style>
+<div></div>
+This test is successful if it does not crash.
Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (133234 => 133235)
--- branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-01 22:33:10 UTC (rev 133234)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-01 22:45:24 UTC (rev 133235)
@@ -1,5 +1,25 @@
2012-11-01 Lucas Forschler <[email protected]>
+ Merge r124258
+
+ 2012-07-31 Luke Macpherson <[email protected]>
+
+ Heap-use-after-free in WebCore::StyleResolver::loadPendingImage
+ https://bugs.webkit.org/show_bug.cgi?id=92606
+
+ Reviewed by Abhishek Arya.
+
+ Changes StyleResolver's m_pendingImageProperties set to a map, such that for each property we keep
+ a RefPtr to the CSSValue used to set that property. This ensures that CSSValues are not freed before
+ they are needed by loadPendingImage.
+
+ Test: fast/css/variables/deferred-image-load-from-variable.html
+
+ * css/StyleResolver.cpp:
+ * css/StyleResolver.h:
+
+2012-11-01 Lucas Forschler <[email protected]>
+
Merge r124156
2012-07-30 MORITA Hajime <[email protected]>
@@ -205901,3 +205921,4 @@
.
.
.
+.
Modified: branches/safari-536.28-branch/Source/WebCore/css/StyleResolver.cpp (133234 => 133235)
--- branches/safari-536.28-branch/Source/WebCore/css/StyleResolver.cpp 2012-11-01 22:33:10 UTC (rev 133234)
+++ branches/safari-536.28-branch/Source/WebCore/css/StyleResolver.cpp 2012-11-01 22:45:24 UTC (rev 133235)
@@ -4273,14 +4273,14 @@
{
RefPtr<StyleImage> image = value->cachedOrPendingImage();
if (image && image->isPendingImage())
- m_pendingImageProperties.add(property);
+ m_pendingImageProperties.set(property, value);
return image.release();
}
PassRefPtr<StyleImage> StyleResolver::generatedOrPendingFromValue(CSSPropertyID property, CSSImageGeneratorValue* value)
{
if (value->isPending()) {
- m_pendingImageProperties.add(property);
+ m_pendingImageProperties.set(property, value);
return StylePendingImage::create(value);
}
return StyleGeneratedImage::create(value);
@@ -4291,7 +4291,7 @@
{
RefPtr<StyleImage> image = value->cachedOrPendingImageSet(document());
if (image && image->isPendingImage())
- m_pendingImageProperties.add(property);
+ m_pendingImageProperties.set(property, value);
return image.release();
}
#endif
@@ -5795,8 +5795,8 @@
if (m_pendingImageProperties.isEmpty())
return;
- HashSet<CSSPropertyID>::const_iterator end = m_pendingImageProperties.end();
- for (HashSet<CSSPropertyID>::const_iterator it = m_pendingImageProperties.begin(); it != end; ++it) {
+ PendingImagePropertyMap::const_iterator::Keys end = m_pendingImageProperties.end().keys();
+ for (PendingImagePropertyMap::const_iterator::Keys it = m_pendingImageProperties.begin().keys(); it != end; ++it) {
CSSPropertyID currentProperty = *it;
switch (currentProperty) {
Modified: branches/safari-536.28-branch/Source/WebCore/css/StyleResolver.h (133234 => 133235)
--- branches/safari-536.28-branch/Source/WebCore/css/StyleResolver.h 2012-11-01 22:33:10 UTC (rev 133234)
+++ branches/safari-536.28-branch/Source/WebCore/css/StyleResolver.h 2012-11-01 22:45:24 UTC (rev 133235)
@@ -468,7 +468,8 @@
RefPtr<StaticCSSRuleList> m_ruleList;
- HashSet<CSSPropertyID> m_pendingImageProperties;
+ typedef HashMap<CSSPropertyID, RefPtr<CSSValue> > PendingImagePropertyMap;
+ PendingImagePropertyMap m_pendingImageProperties;
OwnPtr<MediaQueryEvaluator> m_medium;
RefPtr<RenderStyle> m_rootDefaultStyle;
