[Webkit-unassigned] [Bug 249061] New: Fix use-after-free in WebCore::StyleGradientImage() constructor
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 9 18:36:02 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=249061
Bug ID: 249061
Summary: Fix use-after-free in WebCore::StyleGradientImage()
constructor
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: SVG
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ddkilzer at webkit.org
CC: sabouhallawa at apple.com, zimmermann at kde.org
Fix use-after-free in WebCore::StyleGradientImage() constructor in Source/WebCore/rendering/style/StyleGradientImage.cpp.
```
StyleGradientImage::StyleGradientImage(Data&& data, CSSGradientColorInterpolationMethod colorInterpolationMethod, Vector
<StyleGradientImageStop>&& stops)
: StyleGeneratedImage { Type::GradientImage, StyleGradientImage::isFixedSize }
, m_data { WTFMove(data) }
, m_colorInterpolationMethod { colorInterpolationMethod }
, m_stops { WTFMove(stops) }
, m_knownCacheableBarringFilter { stopsAreCacheable(stops) } // FIXME: Use-after-move of `stops`.
{
}
```
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221210/b5e1551b/attachment.htm>
More information about the webkit-unassigned
mailing list