Summary: | CSS: Fix crash in getTimingFunctionValue() | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Andreas Kling <kling> | ||||||
Component: | CSS | Assignee: | Nobody <webkit-unassigned> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | dino, simon.fraser, vdanen | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | 528+ (Nightly build) | ||||||||
Hardware: | All | ||||||||
OS: | All | ||||||||
Attachments: |
|
Description
Andreas Kling
2010-09-16 09:20:47 PDT
Created attachment 67803 [details]
Proposed patch
Comment on attachment 67803 [details]
Proposed patch
Needs a testcase.
(In reply to comment #2) > (From update of attachment 67803 [details]) > Needs a testcase. Right, sorry. This is already covered by existing tests, for example transitions/inherit-other-props.html. You'll only get an actual crash on picky platforms (or valgrind ;-)) Comment on attachment 67803 [details] Proposed patch > diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog > index 13da8c8..7277379 100644 > --- a/WebCore/ChangeLog > +++ b/WebCore/ChangeLog > @@ -1,3 +1,15 @@ > +2010-09-16 Andreas Kling <andreas.kling@nokia.com> > + > + Reviewed by NOBODY (OOPS!). > + > + CSS: Fix crash in getTimingFunctionValue() > + https://bugs.webkit.org/show_bug.cgi?id=45896 > + > + Use RefPtrs to avoid deleting the TimingFunctions prematurely. You should say here why you didn't add any tests. > diff --git a/WebCore/css/CSSComputedStyleDeclaration.cpp b/WebCore/css/CSSComputedStyleDeclaration.cpp > index ce96e1c..f351cd7 100644 > --- a/WebCore/css/CSSComputedStyleDeclaration.cpp > +++ b/WebCore/css/CSSComputedStyleDeclaration.cpp > @@ -514,12 +514,12 @@ static PassRefPtr<CSSValue> getTimingFunctionValue(const AnimationList* animList > RefPtr<CSSValueList> list = CSSValueList::createCommaSeparated(); > if (animList) { > for (size_t i = 0; i < animList->size(); ++i) { > - const TimingFunction* tf = animList->animation(i)->timingFunction().get(); > + RefPtr<TimingFunction> tf = animList->animation(i)->timingFunction(); I don't see why this RefPtr is needed. How can animList->animation(i)->timingFunction() go bad here? Created attachment 67815 [details]
Proposed patch v2
Updated ChangeLog with information about test coverage.
Removed the unnecessary guard for Animation::timingFunction().
Comment on attachment 67815 [details] Proposed patch v2 Clearing flags on attachment: 67815 Committed r67634: <http://trac.webkit.org/changeset/67634> All reviewed patches have been landed. Closing bug. This was assigned CVE-2011-0113. |