From 85fd2302d16a09a82d9a6e81eb286babb23c4b3c Mon Sep 17 00:00:00 2001

From: Antoine Quint <graouts@webkit.org>

Date: Mon, 22 May 2023 13:37:32 -0700

Subject: [PATCH] Potential use-after-free in WebAnimation::commitStyles

 https://bugs.webkit.org/show_bug.cgi?id=254840 rdar://107444873

Reviewed by Dean Jackson and Darin Adler.

Ensure that the animation's effect and target are kept alive for the duration of this method

since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus

these two pointers could be changed to a null value using the Web Animations API.

* Source/WebCore/animation/WebAnimation.cpp:

(WebCore::WebAnimation::commitStyles):

Originally-landed-as: 259548.532@safari-7615-branch (1d6fe184ea53). rdar://107444873

Canonical link: https://commits.webkit.org/264363@main

---

 Source/WebCore/animation/WebAnimation.cpp | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp

index 68ea47985807..ae20c79c36cf 100644

--- a/Source/WebCore/animation/WebAnimation.cpp

+++ b/Source/WebCore/animation/WebAnimation.cpp

@@ -1531,8 +1531,8 @@ ExceptionOr<void> WebAnimation::commitStyles()

     // https://drafts.csswg.org/web-animations-1/#commit-computed-styles

     // 1. Let targets be the set of all effect targets for animation effects associated with animation.

-    auto* effect = dynamicDowncast<KeyframeEffect>(m_effect.get());

-    auto* target = effect ? effect->target() : nullptr;

+    RefPtr effect = dynamicDowncast<KeyframeEffect>(m_effect.get());

+    RefPtr target = effect ? effect->target() : nullptr;

     // 2. For each target in targets:

     //