[webkit-changes] [WebKit/WebKit] 777fe1: Fix heap use-after-free in Update::addSVGRendererU...
Chirag Shah
noreply at github.com
Mon May 22 13:10:19 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 777fe1501522cc907234a327b306b3cafffb1501
https://github.com/WebKit/WebKit/commit/777fe1501522cc907234a327b306b3cafffb1501
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-05-22 (Mon, 22 May 2023)
Changed paths:
A LayoutTests/svg/animations/svg-element-attribute-changed-crash-expected.txt
A LayoutTests/svg/animations/svg-element-attribute-changed-crash.html
M Source/WebCore/svg/properties/SVGAnimatedProperty.cpp
Log Message:
-----------
Fix heap use-after-free in Update::addSVGRendererUpdate
https://bugs.webkit.org/show_bug.cgi?id=254281
rdar://107052707
Reviewed by Ryosuke Niwa.
Update::addSVGRendererUpdate can end up removing the SVGElement from
m_roots, which can result in SVGElement being deleted when an attribute
change happens. This change prevents that by protecting the SVGElement
using a RefPtr.
* LayoutTests/svg/animations/svg-element-attribute-changed-crash-expected.txt: Added.
* LayoutTests/svg/animations/svg-element-attribute-changed-crash.html: Added.
* Source/WebCore/svg/properties/SVGAnimatedProperty.cpp:
(WebCore::SVGAnimatedProperty::commitPropertyChange):
Originally-landed-as: 259548.475 at safari-7615-branch (aaa1c998206d). rdar://107052707
Canonical link: https://commits.webkit.org/264355@main
More information about the webkit-changes
mailing list