Bug 288536

Summary:	Use SingleThreadWeakPtr for SVGResourcesMap::legacyResources
Product:	WebKit	Reporter:	Said Abou-Hallawa <sabouhallawa>
Component:	SVG	Assignee:	Said Abou-Hallawa <sabouhallawa>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	sabouhallawa, webkit-bug-importer, zimmermann
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Said Abou-Hallawa

Reported 2025-02-25 14:02:47 PST

This HashMap maps from an `AtomString` to a raw pointer `LegacyRenderSVGResourceContainer*`. This can lead to all sorts of bad memory access bugs: UAF and null pointer dereferencing. In RenderLayer::setupClipPath(), we request a pointer to the SVG resource given the clip-path URI. The code path in RenderLayer from CSS property to the SVG resource is little bit trickier than referencing the SVG resources from the SVG renderers. To protect this code path, we can make SVGResourcesMap::legacyResources map from `AtomString` to `SingleThreadWeakPtr<LegacyRenderSVGResourceContainer>`.

Attachments
Add attachment proposed patch, testcase, etc.

Said Abou-Hallawa

Comment 1 2025-02-25 14:03:28 PST

rdar://145361009

Said Abou-Hallawa

Comment 2 2025-02-25 14:12:05 PST

Pull request: https://github.com/WebKit/WebKit/pull/41334

EWS

Comment 3 2025-02-25 19:34:32 PST

Committed 291085@main (c6ebbb101667): <https://commits.webkit.org/291085@main> Reviewed commits have been landed. Closing PR #41334 and removing active labels.

EWS

Comment 4 2025-02-27 13:28:54 PST

Committed 289651.192@safari-7621-branch (974f520eaa6c): <https://commits.webkit.org/289651.192@safari-7621-branch> Reviewed commits have been landed. Closing PR #2688 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.