RESOLVED FIXED45896
CVE-2011-0113 CSS: Fix crash in getTimingFunctionValue() 
https://bugs.webkit.org/show_bug.cgi?id=45896
Summary CSS: Fix crash in getTimingFunctionValue()
Andreas Kling
Reported 2010-09-16 09:20:47 PDT
Since TimingFunctions are refcounted since http://trac.webkit.org/changeset/67032 we need to store them using RefPtr rather than TimingFunction*.
Attachments
Proposed patch (3.25 KB, patch)
2010-09-16 09:23 PDT, Andreas Kling 		no flags
DetailsFormatted DiffDiff
Proposed patch v2 (2.17 KB, patch)
2010-09-16 10:11 PDT, Andreas Kling 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Andreas Kling
Comment 1 2010-09-16 09:23:09 PDT
Created attachment 67803 [details] Proposed patch
Simon Fraser (smfr)
Comment 2 2010-09-16 09:23:39 PDT
Comment on attachment 67803 [details] Proposed patch Needs a testcase.
Andreas Kling
Comment 3 2010-09-16 09:39:59 PDT
(In reply to comment #2) > (From update of attachment 67803 [details]) > Needs a testcase. Right, sorry. This is already covered by existing tests, for example transitions/inherit-other-props.html. You'll only get an actual crash on picky platforms (or valgrind ;-))
Simon Fraser (smfr)
Comment 4 2010-09-16 09:56:47 PDT
Comment on attachment 67803 [details] Proposed patch > diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog > index 13da8c8..7277379 100644 > --- a/WebCore/ChangeLog > +++ b/WebCore/ChangeLog > @@ -1,3 +1,15 @@ > +2010-09-16 Andreas Kling <andreas.kling@nokia.com> > + > + Reviewed by NOBODY (OOPS!). > + > + CSS: Fix crash in getTimingFunctionValue() > + https://bugs.webkit.org/show_bug.cgi?id=45896 > + > + Use RefPtrs to avoid deleting the TimingFunctions prematurely. You should say here why you didn't add any tests. > diff --git a/WebCore/css/CSSComputedStyleDeclaration.cpp b/WebCore/css/CSSComputedStyleDeclaration.cpp > index ce96e1c..f351cd7 100644 > --- a/WebCore/css/CSSComputedStyleDeclaration.cpp > +++ b/WebCore/css/CSSComputedStyleDeclaration.cpp > @@ -514,12 +514,12 @@ static PassRefPtr<CSSValue> getTimingFunctionValue(const AnimationList* animList > RefPtr<CSSValueList> list = CSSValueList::createCommaSeparated(); > if (animList) { > for (size_t i = 0; i < animList->size(); ++i) { > - const TimingFunction* tf = animList->animation(i)->timingFunction().get(); > + RefPtr<TimingFunction> tf = animList->animation(i)->timingFunction(); I don't see why this RefPtr is needed. How can animList->animation(i)->timingFunction() go bad here?
Andreas Kling
Comment 5 2010-09-16 10:11:55 PDT
Created attachment 67815 [details] Proposed patch v2 Updated ChangeLog with information about test coverage. Removed the unnecessary guard for Animation::timingFunction().
Andreas Kling
Comment 6 2010-09-16 10:21:08 PDT
Comment on attachment 67815 [details] Proposed patch v2 Clearing flags on attachment: 67815 Committed r67634: <http://trac.webkit.org/changeset/67634>
Andreas Kling
Comment 7 2010-09-16 10:21:18 PDT
All reviewed patches have been landed. Closing bug.
David Kilzer (:ddkilzer)
Comment 8 2010-12-04 16:47:06 PST
<rdar://problem/8730620>
Vincent Danen
Comment 9 2011-03-03 15:44:14 PST
This was assigned CVE-2011-0113.
Note You need to log in before you can comment on or make changes to this bug.