Merge 95791 - use after free in WebCore::SVGTRefElement::updateReferencedText

Source/WebCore/svg/SVGTRefElement.cpp

Index: Source/WebCore/svg/SVGTRefElement.cpp
===================================================================
--- Source/WebCore/svg/SVGTRefElement.cpp	(revision 96033)
+++ Source/WebCore/svg/SVGTRefElement.cpp	(working copy)
@@ -193,9 +193,11 @@
             return;
         }
         updateReferencedText();
-        m_eventListener = SubtreeModificationEventListener::create(this, id);
-        ASSERT(target->parentNode());
-        target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
+        if (inDocument()) {
+            m_eventListener = SubtreeModificationEventListener::create(this, id);
+            ASSERT(target->parentNode());
+            target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
+        }
         if (RenderObject* renderer = this->renderer())
             RenderSVGResource::markForLayoutAndParentResourceInvalidation(renderer);
         return;
@@ -241,6 +243,21 @@
     }
 }
 
+void SVGTRefElement::insertedIntoDocument()
+{
+    SVGStyledElement::insertedIntoDocument();
+    String id;
+    Element* target = SVGURIReference::targetElementFromIRIString(href(), document(), &id);
+    if (!target) {
+        document()->accessSVGExtensions()->addPendingResource(id, this);
+        return;
+    }
+    updateReferencedText();
+    m_eventListener = SubtreeModificationEventListener::create(this, id);
+    ASSERT(target->parentNode());
+    target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
+}
+
 void SVGTRefElement::removedFromDocument()
 {
     SVGStyledElement::removedFromDocument();