I sugget you don't search any report about it to prevents get too much info like patch.
This time we do it by code audit
Don't erase InterpolationTypes used by other documents
A registered custom property in one document caused the entry for the same custom property (unregistered) used in another document to be deleted, which caused a use-after-free.
Only store the CSSDefaultInterpolationType for unregistered custom properties and never store registered properties in the map. They may have different types in different documents when registered.
You can read this to know what about animation
For more info click me! But you'd better not do this
https://bugs.chromium.org/p/chromium/issues/detail?id=1192054
Just like exercise_4, we need chromium. I recomend you do as offical gudience. If you have installed depot_tools ago, you just need fetch chromium.
When you finish the above
git reset --hard 7e5707cc5f46b0155b9e42b121c8e2128c05f178 we can analysis the source file online or offline.
This time you need to analysis entire file third_party/blink/renderer/core/animation/css_interpolation_types_map.cc, this bug can be easily found if you read Details carefully ;)
Do this exercise by yourself, If you find my answer have something wrong, please correct it.
My answer
Details has clearly told us the cause of the vulnerability. A registered custom property in one document caused the entry for the same custom property (unregistered) used in another document to be deleted, which caused a use-after-free
This mean if we register a custom property and then the entry of the same custom property in another document which unregistered will be deleted by erase.
const InterpolationTypes& CSSInterpolationTypesMap::Get(
const PropertyHandle& property) const {
using ApplicableTypesMap =
HashMap<PropertyHandle, std::unique_ptr<const InterpolationTypes>>;
// TODO(iclelland): Combine these two hashmaps into a single map on
// std::pair<bool,property>
DEFINE_STATIC_LOCAL(ApplicableTypesMap, all_applicable_types_map, ());
DEFINE_STATIC_LOCAL(ApplicableTypesMap, composited_applicable_types_map, ());
ApplicableTypesMap& applicable_types_map =
allow_all_animations_ ? all_applicable_types_map
: composited_applicable_types_map;
auto entry = applicable_types_map.find(property); [1] find entry (HashMap)
bool found_entry = entry != applicable_types_map.end();
// Custom property interpolation types may change over time so don't trust the
// applicableTypesMap without checking the registry.
if (registry_ && property.IsCSSCustomProperty()) {
const auto* registration = GetRegistration(registry_, property); [2] registr
if (registration) {
if (found_entry) {
applicable_types_map.erase(entry); [3] delete entry
}
return registration->GetInterpolationTypes();
}
}
if (found_entry) {
return *entry->value;
}
[ ... ]
============================================================================
static const PropertyRegistration* GetRegistration(
const PropertyRegistry* registry,
const PropertyHandle& property) {
DCHECK(property.IsCSSCustomProperty());
if (!registry) {
return nullptr;
}
return registry->Registration(property.CustomPropertyName());
}