249061 – Fix use-after-move in WebCore::StyleGradientImage constructor

RESOLVED FIXED 249061

Fix use-after-move in WebCore::StyleGradientImage constructor

https://bugs.webkit.org/show_bug.cgi?id=249061

Summary Fix use-after-move in WebCore::StyleGradientImage constructor

David Kilzer (:ddkilzer)

Reported 2022-12-09 18:36:02 PST

Fix use-after-free in WebCore::StyleGradientImage() constructor in Source/WebCore/rendering/style/StyleGradientImage.cpp. ``` StyleGradientImage::StyleGradientImage(Data&& data, CSSGradientColorInterpolationMethod colorInterpolationMethod, Vector <StyleGradientImageStop>&& stops) : StyleGeneratedImage { Type::GradientImage, StyleGradientImage::isFixedSize } , m_data { WTFMove(data) } , m_colorInterpolationMethod { colorInterpolationMethod } , m_stops { WTFMove(stops) } , m_knownCacheableBarringFilter { stopsAreCacheable(stops) } // FIXME: Use-after-move of `stops`. { } ```

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2022-12-09 18:36:24 PST

<rdar://problem/103202572>

David Kilzer (:ddkilzer)

Comment 2 2022-12-09 18:45:45 PST

Pull request: https://github.com/WebKit/WebKit/pull/7427

EWS

Comment 3 2022-12-10 13:41:22 PST

Committed 257686@main (40f4e5e1face): <https://commits.webkit.org/257686@main> Reviewed commits have been landed. Closing PR #7427 and removing active labels.

David Kilzer (:ddkilzer)

Comment 4 2022-12-11 09:01:39 PST

This was a use-after-move, not a use-after-free.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component SVG

Assignee

David Kilzer (:ddkilzer)

Reported

2022-12-09 18:36 PST

Modified

2022-12-11 09:01 PST History

CC List

3 users Show

URL

Keywords InRadar

Depends on

246927

Blocks

Dependencies

tree graph