From 85fd2302d16a09a82d9a6e81eb286babb23c4b3c Mon Sep 17 00:00:00 2001
From: Antoine Quint <graouts@webkit.org>
Date: Mon, 22 May 2023 13:37:32 -0700
Subject: [PATCH] Potential use-after-free in WebAnimation::commitStyles
 https://bugs.webkit.org/show_bug.cgi?id=254840 rdar://107444873

Reviewed by Dean Jackson and Darin Adler.

Ensure that the animation's effect and target are kept alive for the duration of this method
since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus
these two pointers could be changed to a null value using the Web Animations API.

* Source/WebCore/animation/WebAnimation.cpp:
(WebCore::WebAnimation::commitStyles):

Originally-landed-as: 259548.532@safari-7615-branch (1d6fe184ea53). rdar://107444873
Canonical link: https://commits.webkit.org/264363@main
---
 Source/WebCore/animation/WebAnimation.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp
index 68ea47985807..ae20c79c36cf 100644
--- a/Source/WebCore/animation/WebAnimation.cpp
+++ b/Source/WebCore/animation/WebAnimation.cpp
@@ -1531,8 +1531,8 @@ ExceptionOr<void> WebAnimation::commitStyles()
     // https://drafts.csswg.org/web-animations-1/#commit-computed-styles
 
     // 1. Let targets be the set of all effect targets for animation effects associated with animation.
-    auto* effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
-    auto* target = effect ? effect->target() : nullptr;
+    RefPtr effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
+    RefPtr target = effect ? effect->target() : nullptr;
 
     // 2. For each target in targets:
     //