[webkit-changes] [WebKit/WebKit] bdc9ba: jsc_fuz/wktr: null ptr deref in WebCore::GraphicsL...

mattwoodrow noreply at github.com
Wed Dec 20 12:01:10 PST 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: bdc9ba2c424d1d7e95f86e454b3d08b0dd136ee7
      https://github.com/WebKit/WebKit/commit/bdc9ba2c424d1d7e95f86e454b3d08b0dd136ee7
  Author: Matt Woodrow <mattwoodrow at apple.com>
  Date:   2023-12-20 (Wed, 20 Dec 2023)

  Changed paths:
    A LayoutTests/fast/canvas/offscreen-giant-expected.html
    A LayoutTests/fast/canvas/offscreen-giant.html
    M LayoutTests/platform/glib/TestExpectations
    M LayoutTests/platform/mac-monterey/TestExpectations
    M Source/WTF/wtf/unix/UnixFileDescriptor.h
    M Source/WebCore/platform/graphics/ca/cocoa/GraphicsLayerAsyncContentsDisplayDelegateCocoa.mm
    M Source/WebCore/platform/graphics/cocoa/DynamicContentScalingDisplayList.h
    M Source/WebKit/Platform/SharedMemory.h
    M Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.h
    M Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.mm
    M Source/WebKit/Shared/RemoteLayerTree/RemoteLayerWithInProcessRenderingBackingStore.mm
    M Source/WebKit/Shared/ShareableBitmap.h
    M Source/WebKit/WebProcess/WebPage/RemoteLayerTree/GraphicsLayerCARemote.mm
    M Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.h
    M Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.mm

  Log Message:
  -----------
  jsc_fuz/wktr: null ptr deref in WebCore::GraphicsLayerAsyncContentsDisplayDelegateCocoa::tryCopyToLayer(WebCore::ImageBuffer&)
https://bugs.webkit.org/show_bug.cgi?id=262640
<rdar://115497296>

Reviewed by Kimmo Kinnunen.

This adds support for setDelegatedContents on a PlatformCALayerRemote having a generic ImageBufferBackendHandle (which includes
shared memory), instead of only MachSendRight.

Adds an explicit copy constructor to SharedMemoryHandle, UnixFileDescriptor and CGDisplayList to match MachSendRight and make
this possible.

Also switches Protection::ReadWrite to Protection::ReadOnly for the RemoteLayerBackingStore callers, since we were already using
this for tryCopyToLayer, and we need the ::map() call in the UI process to not try ask for extra permissions.

* Source/WTF/wtf/unix/UnixFileDescriptor.h:
(WTF::UnixFileDescriptor::UnixFileDescriptor):
* Source/WebKit/Platform/SharedMemory.h:
* Source/WebKit/Shared/RemoteLayerTree/CGDisplayList.h:
* Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.h:
* Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.mm:
(WebKit::RemoteLayerBackingStore::encode const):
(WebKit::RemoteLayerBackingStore::setDelegatedContents):
(WebKit::RemoteLayerBackingStoreProperties::layerContentsBufferFromBackendHandle):
* Source/WebKit/Shared/ShareableBitmap.h:
* Source/WebKit/WebProcess/WebPage/RemoteLayerTree/GraphicsLayerCARemote.mm:
* Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.h:
* Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.mm:
(WebKit::PlatformCALayerRemote::setDelegatedContents):
(WebKit::PlatformCALayerRemote::setRemoteDelegatedContents):

Originally-landed-as: 267815.262 at safari-7617-branch (8ac19464ff91). rdar://119570861
Canonical link: https://commits.webkit.org/272365@main

More information about the webkit-changes mailing list