Bug 1467999 - Hold RefPtrs to the ASR objects to avoid UAFs. r?mstange
MozReview-Commit-ID: 1NVuY8Sq1YI
--- a/layout/painting/nsDisplayList.h
+++ b/layout/painting/nsDisplayList.h
@@ -5941,31 +5941,32 @@ public:
{
return mContainerASR;
}
private:
// This stores the ASR that this sticky container item would have assuming it
// has no fixed descendants. This may be the same as the ASR returned by
// GetActiveScrolledRoot(), or it may be a descendant of that.
- const ActiveScrolledRoot* mContainerASR;
+ RefPtr<const ActiveScrolledRoot> mContainerASR;
};
class nsDisplayFixedPosition : public nsDisplayOwnLayer {
public:
nsDisplayFixedPosition(nsDisplayListBuilder* aBuilder, nsIFrame* aFrame,
nsDisplayList* aList,
const ActiveScrolledRoot* aActiveScrolledRoot,
const ActiveScrolledRoot* aContainerASR);
nsDisplayFixedPosition(nsDisplayListBuilder* aBuilder,
const nsDisplayFixedPosition& aOther)
: nsDisplayOwnLayer(aBuilder, aOther)
, mAnimatedGeometryRootForScrollMetadata(aOther.mAnimatedGeometryRootForScrollMetadata)
, mIndex(aOther.mIndex)
, mIsFixedBackground(aOther.mIsFixedBackground)
+ , mContainerASR(aOther.mContainerASR)
{
MOZ_COUNT_CTOR(nsDisplayFixedPosition);
}
static nsDisplayFixedPosition* CreateForFixedBackground(nsDisplayListBuilder* aBuilder,
nsIFrame* aFrame,
nsDisplayBackgroundImage* aImage,
uint32_t aIndex);
@@ -6025,17 +6026,17 @@ protected:
nsDisplayFixedPosition(nsDisplayListBuilder* aBuilder, nsIFrame* aFrame,
nsDisplayList* aList, uint32_t aIndex);
void Init(nsDisplayListBuilder* aBuilder);
ViewID GetScrollTargetId();
RefPtr<AnimatedGeometryRoot> mAnimatedGeometryRootForScrollMetadata;
uint32_t mIndex;
bool mIsFixedBackground;
- const ActiveScrolledRoot* mContainerASR;
+ RefPtr<const ActiveScrolledRoot> mContainerASR;
};
class nsDisplayTableFixedPosition : public nsDisplayFixedPosition
{
public:
static nsDisplayTableFixedPosition* CreateForFixedBackground(nsDisplayListBuilder* aBuilder,
nsIFrame* aFrame,
nsDisplayBackgroundImage* aImage,