Bug 249061

Summary: Fix use-after-move in WebCore::StyleGradientImage constructor
Product: WebKit Reporter: David Kilzer (:ddkilzer) <ddkilzer>
Component: SVGAssignee: David Kilzer (:ddkilzer) <ddkilzer>
Status: RESOLVED FIXED    
Severity: Normal CC: sabouhallawa, webkit-bug-importer, zimmermann
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 246927    
Bug Blocks:    

David Kilzer (:ddkilzer)
Reported 2022-12-09 18:36:02 PST
Fix use-after-free in WebCore::StyleGradientImage() constructor in Source/WebCore/rendering/style/StyleGradientImage.cpp. ``` StyleGradientImage::StyleGradientImage(Data&& data, CSSGradientColorInterpolationMethod colorInterpolationMethod, Vector <StyleGradientImageStop>&& stops) : StyleGeneratedImage { Type::GradientImage, StyleGradientImage::isFixedSize } , m_data { WTFMove(data) } , m_colorInterpolationMethod { colorInterpolationMethod } , m_stops { WTFMove(stops) } , m_knownCacheableBarringFilter { stopsAreCacheable(stops) } // FIXME: Use-after-move of `stops`. { } ```
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-12-09 18:36:24 PST
<rdar://problem/103202572>
David Kilzer (:ddkilzer)
Comment 2 2022-12-09 18:45:45 PST
Pull request: https://github.com/WebKit/WebKit/pull/7427
EWS
Comment 3 2022-12-10 13:41:22 PST
Committed 257686@main (40f4e5e1face): <https://commits.webkit.org/257686@main> Reviewed commits have been landed. Closing PR #7427 and removing active labels.
David Kilzer (:ddkilzer)
Comment 4 2022-12-11 09:01:39 PST
This was a use-after-move, not a use-after-free.
Note You need to log in before you can comment on or make changes to this bug.