WebCore::StylePropertySet::addParsedProperties - crash
https://bugs.webkit.org/show_bug.cgi?id=91153
Patch by Douglas Stockwell <dstockwell@chromium.org> on 2012-07-18
Reviewed by Andreas Kling.
Source/WebCore:
WebKitCSSKeyframeRule::style exposed an immutable StylePropertySet.
Modified to create a mutable copy on demand.
Test: fast/css/css-keyframe-style-mutate-crash.html
* css/StyleResolver.cpp:
(WebCore::StyleResolver::collectMatchingRulesForList):
* css/WebKitCSSKeyframeRule.cpp:
(WebCore::StyleKeyframe::mutableProperties): Added, creates a mutable copy of properties as required.
(WebCore::WebKitCSSKeyframeRule::style):
* css/WebKitCSSKeyframeRule.h:
(WebCore::StyleKeyframe::properties): Made const, use mutableProperties to mutate.
LayoutTests:
* fast/css/css-keyframe-style-mutate-crash-expected.txt: Added.
* fast/css/css-keyframe-style-mutate-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@122976 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/css/WebKitCSSKeyframeRule.cpp b/Source/WebCore/css/WebKitCSSKeyframeRule.cpp
index 7692086..0577b46 100644
--- a/Source/WebCore/css/WebKitCSSKeyframeRule.cpp
+++ b/Source/WebCore/css/WebKitCSSKeyframeRule.cpp
@@ -31,6 +31,13 @@
#include "WebKitCSSKeyframesRule.h"
namespace WebCore {
+
+StylePropertySet* StyleKeyframe::mutableProperties()
+{
+ if (!m_properties->isMutable())
+ m_properties = m_properties->copy();
+ return m_properties.get();
+}
void StyleKeyframe::setProperties(PassRefPtr<StylePropertySet> properties)
{
@@ -94,7 +101,7 @@
CSSStyleDeclaration* WebKitCSSKeyframeRule::style() const
{
if (!m_propertiesCSSOMWrapper)
- m_propertiesCSSOMWrapper = StyleRuleCSSStyleDeclaration::create(m_keyframe->properties(), const_cast<WebKitCSSKeyframeRule*>(this));
+ m_propertiesCSSOMWrapper = StyleRuleCSSStyleDeclaration::create(m_keyframe->mutableProperties(), const_cast<WebKitCSSKeyframeRule*>(this));
return m_propertiesCSSOMWrapper.get();
}
