249061 – Fix use-after-move in WebCore::StyleGradientImage constructor

Bug 249061 - Fix use-after-move in WebCore::StyleGradientImage constructor

Summary: Fix use-after-move in WebCore::StyleGradientImage constructor

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	SVG (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	David Kilzer (:ddkilzer)

URL:
Keywords:	InRadar

Depends on:	246927
Blocks:
	Show dependency tree / graph

Reported:	2022-12-09 18:36 PST by David Kilzer (:ddkilzer)
Modified:	2022-12-11 09:01 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Kilzer (:ddkilzer) 2022-12-09 18:36:02 PST

Fix use-after-free in WebCore::StyleGradientImage() constructor in Source/WebCore/rendering/style/StyleGradientImage.cpp.

```
StyleGradientImage::StyleGradientImage(Data&& data, CSSGradientColorInterpolationMethod colorInterpolationMethod, Vector
<StyleGradientImageStop>&& stops)
    : StyleGeneratedImage { Type::GradientImage, StyleGradientImage::isFixedSize }
    , m_data { WTFMove(data) }
    , m_colorInterpolationMethod { colorInterpolationMethod }
    , m_stops { WTFMove(stops) }
    , m_knownCacheableBarringFilter { stopsAreCacheable(stops) }  // FIXME: Use-after-move of `stops`.
{
}
```

Comment 1 Radar WebKit Bug Importer 2022-12-09 18:36:24 PST

<rdar://problem/103202572>

Comment 2 David Kilzer (:ddkilzer) 2022-12-09 18:45:45 PST

Pull request: https://github.com/WebKit/WebKit/pull/7427

Comment 3 EWS 2022-12-10 13:41:22 PST

Committed 257686@main (40f4e5e1face): <https://commits.webkit.org/257686@main>

Reviewed commits have been landed. Closing PR #7427 and removing active labels.

Comment 4 David Kilzer (:ddkilzer) 2022-12-11 09:01:39 PST

This was a use-after-move, not a use-after-free.