RESOLVED FIXED288536
Use SingleThreadWeakPtr for SVGResourcesMap::legacyResources 
https://bugs.webkit.org/show_bug.cgi?id=288536
Summary Use SingleThreadWeakPtr for SVGResourcesMap::legacyResources
Said Abou-Hallawa
Reported 2025-02-25 14:02:47 PST
This HashMap maps from an `AtomString` to a raw pointer `LegacyRenderSVGResourceContainer*`. This can lead to all sorts of bad memory access bugs: UAF and null pointer dereferencing. In RenderLayer::setupClipPath(), we request a pointer to the SVG resource given the clip-path URI. The code path in RenderLayer from CSS property to the SVG resource is little bit trickier than referencing the SVG resources from the SVG renderers. To protect this code path, we can make SVGResourcesMap::legacyResources map from `AtomString` to `SingleThreadWeakPtr<LegacyRenderSVGResourceContainer>`.
Attachments
Add attachment proposed patch, testcase, etc.
Said Abou-Hallawa
Comment 1 2025-02-25 14:03:28 PST
rdar://145361009
Said Abou-Hallawa
Comment 2 2025-02-25 14:12:05 PST
Pull request: https://github.com/WebKit/WebKit/pull/41334
EWS
Comment 3 2025-02-25 19:34:32 PST
Committed 291085@main (c6ebbb101667): <https://commits.webkit.org/291085@main> Reviewed commits have been landed. Closing PR #41334 and removing active labels.
EWS
Comment 4 2025-02-27 13:28:54 PST
Committed 289651.192@safari-7621-branch (974f520eaa6c): <https://commits.webkit.org/289651.192@safari-7621-branch> Reviewed commits have been landed. Closing PR #2688 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.