Bug 45896 (CVE-2011-0113) - CSS: Fix crash in getTimingFunctionValue()
Summary: CSS: Fix crash in getTimingFunctionValue()
Status: RESOLVED FIXED
Alias: CVE-2011-0113
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2010-09-16 09:20 PDT by Andreas Kling
Modified: 2011-03-03 15:44 PST (History)
3 users (show)

See Also:

Attachments
Proposed patch (3.25 KB, patch)
2010-09-16 09:23 PDT, Andreas Kling 		no flags Details | Formatted Diff | Diff
Proposed patch v2 (2.17 KB, patch)
2010-09-16 10:11 PDT, Andreas Kling 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Kling 2010-09-16 09:20:47 PDT 
Since TimingFunctions are refcounted since http://trac.webkit.org/changeset/67032 we need to store them using RefPtr rather than TimingFunction*.
Comment 1 Andreas Kling 2010-09-16 09:23:09 PDT 
Created attachment 67803 [details]
Proposed patch
Comment 2 Simon Fraser (smfr) 2010-09-16 09:23:39 PDT 
Comment on attachment 67803 [details]
Proposed patch

Needs a testcase.
Comment 3 Andreas Kling 2010-09-16 09:39:59 PDT 
(In reply to comment #2)
> (From update of attachment 67803 [details])
> Needs a testcase.

Right, sorry. This is already covered by existing tests, for example transitions/inherit-other-props.html. You'll only get an actual crash on picky platforms (or valgrind ;-))
Comment 4 Simon Fraser (smfr) 2010-09-16 09:56:47 PDT 
Comment on attachment 67803 [details]
Proposed patch

> diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
> index 13da8c8..7277379 100644
> --- a/WebCore/ChangeLog
> +++ b/WebCore/ChangeLog
> @@ -1,3 +1,15 @@
> +2010-09-16  Andreas Kling  <andreas.kling@nokia.com>
> +
> +        Reviewed by NOBODY (OOPS!).
> +
> +        CSS: Fix crash in getTimingFunctionValue()
> +        https://bugs.webkit.org/show_bug.cgi?id=45896
> +
> +        Use RefPtrs to avoid deleting the TimingFunctions prematurely.

You should say here why you didn't add any tests.

> diff --git a/WebCore/css/CSSComputedStyleDeclaration.cpp b/WebCore/css/CSSComputedStyleDeclaration.cpp
> index ce96e1c..f351cd7 100644
> --- a/WebCore/css/CSSComputedStyleDeclaration.cpp
> +++ b/WebCore/css/CSSComputedStyleDeclaration.cpp
> @@ -514,12 +514,12 @@ static PassRefPtr<CSSValue> getTimingFunctionValue(const AnimationList* animList
>      RefPtr<CSSValueList> list = CSSValueList::createCommaSeparated();
>      if (animList) {
>          for (size_t i = 0; i < animList->size(); ++i) {
> -            const TimingFunction* tf = animList->animation(i)->timingFunction().get();
> +            RefPtr<TimingFunction> tf = animList->animation(i)->timingFunction();

I don't see why this RefPtr is needed. How can animList->animation(i)->timingFunction() go bad here?
Comment 5 Andreas Kling 2010-09-16 10:11:55 PDT 
Created attachment 67815 [details]
Proposed patch v2

Updated ChangeLog with information about test coverage.
Removed the unnecessary guard for Animation::timingFunction().
Comment 6 Andreas Kling 2010-09-16 10:21:08 PDT 
Comment on attachment 67815 [details]
Proposed patch v2

Clearing flags on attachment: 67815

Committed r67634: <http://trac.webkit.org/changeset/67634>
Comment 7 Andreas Kling 2010-09-16 10:21:18 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 8 David Kilzer (:ddkilzer) 2010-12-04 16:47:06 PST 
<rdar://problem/8730620>
Comment 9 Vincent Danen 2011-03-03 15:44:14 PST 
This was assigned CVE-2011-0113.