[webkit-changes] [WebKit/WebKit] 85237c: CSSValue pointer returned from DeclaredStyleProper...

Žan Doberšek noreply at github.com
Thu Oct 27 01:35:56 PDT 2022 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 85237c9326a2c76a8445d031f0ed3d2d0680291c
      https://github.com/WebKit/WebKit/commit/85237c9326a2c76a8445d031f0ed3d2d0680291c
  Author: Žan Doberšek <zdobersek at igalia.com>
  Date:   2022-10-27 (Thu, 27 Oct 2022)

  Changed paths:
    M Source/WebCore/css/typedom/ComputedStylePropertyMapReadOnly.cpp
    M Source/WebCore/css/typedom/DeclaredStylePropertyMap.cpp
    M Source/WebCore/css/typedom/DeclaredStylePropertyMap.h
    M Source/WebCore/css/typedom/MainThreadStylePropertyMapReadOnly.h
    M Source/WebCore/css/typedom/StylePropertyMapReadOnly.cpp
    M Source/WebCore/css/typedom/StylePropertyMapReadOnly.h
    M Source/WebCore/dom/StyledElement.cpp
    M Source/WebCore/html/CustomPaintImage.cpp

  Log Message:
  -----------
  CSSValue pointer returned from DeclaredStylePropertyMap::propertyValue() causes use-after-free errors
https://bugs.webkit.org/show_bug.cgi?id=247055

Reviewed by Chris Dumez.

Have MainThreadStylePropertyMapReadOnly's propertyValue() and
customPropertyValue() methods return RefPtr<CSSValue> values instead of raw
CSSValue pointers. This enables ensuring lifetime of the CSSValue object,
avoiding use-after-free errors thrown by newer GCC versions when the pointer
value is first retrieved from one subsequently-destroyed RefPtr and then used to
construct a new RefPtr from that same pointer value, with GCC worried about the
object possibly being freed by that first RefPtr's destruction.

All the propertyValue() and customPropertyValue() overrides are able to return
the exact RefPtr object from which the pointer value has been retrieved so far.

StylePropertyMapReadOnly's reifyValue() and reifyValueToVector() functions are
changed to accept a RefPtr<CSSValue> rvalue as their first parameter, with a few
other callsites properly adjusted. The customPropertyValueOrDefault() method is
removed since it's unused.

* Source/WebCore/css/typedom/ComputedStylePropertyMapReadOnly.cpp:
(WebCore::ComputedStylePropertyMapReadOnly::get const):
(WebCore::ComputedStylePropertyMapReadOnly::getAll const):
(WebCore::ComputedStylePropertyMapReadOnly::entries const):
* Source/WebCore/css/typedom/DeclaredStylePropertyMap.cpp:
(WebCore::DeclaredStylePropertyMap::entries const):
(WebCore::DeclaredStylePropertyMap::propertyValue const):
(WebCore::DeclaredStylePropertyMap::customPropertyValue const):
* Source/WebCore/css/typedom/DeclaredStylePropertyMap.h:
* Source/WebCore/css/typedom/MainThreadStylePropertyMapReadOnly.h:
* Source/WebCore/css/typedom/StylePropertyMapReadOnly.cpp:
(WebCore::StylePropertyMapReadOnly::reifyValue):
(WebCore::StylePropertyMapReadOnly::reifyValueToVector):
(WebCore::StylePropertyMapReadOnly::customPropertyValueOrDefault): Deleted.
* Source/WebCore/css/typedom/StylePropertyMapReadOnly.h:
* Source/WebCore/dom/StyledElement.cpp:
* Source/WebCore/html/CustomPaintImage.cpp:

Canonical link: https://commits.webkit.org/256055@main

More information about the webkit-changes mailing list