[webkit-changes] [WebKit/WebKit] e72817: Cherry-pick 252432.838 at safari-7614-branch (6651709...
Claudio Saavedra
noreply at github.com
Tue Jan 31 04:41:04 PST 2023
Branch: refs/heads/webkitglib/2.38
Home: https://github.com/WebKit/WebKit
Commit: e72817e76a462a0bfc9c1c5514c3f2f3479d10a7
https://github.com/WebKit/WebKit/commit/e72817e76a462a0bfc9c1c5514c3f2f3479d10a7
Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
A LayoutTests/fast/forms/textfield-input-type-crash-onblur-expected.txt
A LayoutTests/fast/forms/textfield-input-type-crash-onblur.html
M Source/WebCore/html/HTMLInputElement.cpp
M Source/WebCore/html/HTMLOptionElement.cpp
M Source/WebCore/html/TextFieldInputType.cpp
Log Message:
-----------
Cherry-pick 252432.838 at safari-7614-branch (665170902bfa). https://bugs.webkit.org/show_bug.cgi?id=247389
UAF crash occurs during a style update when an older freed HTMLElement is accessed
https://bugs.webkit.org/show_bug.cgi?id=247389
rdar://101420898
Reviewed by Ryosuke Niwa and Ryan Haddad.
* LayoutTests/fast/forms/textfield-input-type-crash-onblur-expected.txt: Added.
* LayoutTests/fast/forms/textfield-input-type-crash-onblur.html: Added.
* Source/WebCore/html/HTMLInputElement.cpp:
(WebCore::HTMLInputElement::dataListMayHaveChanged):
* Source/WebCore/html/HTMLOptionElement.cpp:
(WebCore::HTMLOptionElement::childrenChanged):
* Source/WebCore/html/TextFieldInputType.cpp:
(WebCore::TextFieldInputType::createDataListDropdownIndicator):
(WebCore::TextFieldInputType::dataListMayHaveChanged):
Canonical link: https://commits.webkit.org/252432.838@safari-7614-branch
Commit: ee69ee950363d4ec41fbc397b841aa21c303eb59
https://github.com/WebKit/WebKit/commit/ee69ee950363d4ec41fbc397b841aa21c303eb59
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
A LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash-expected.txt
A LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash.html
M Source/WebCore/dom/Document.cpp
Log Message:
-----------
Cherry-pick 252432.841 at safari-7614-branch (a47510d4bcf4). https://bugs.webkit.org/show_bug.cgi?id=248111
Fix potential crash under IntersectionObserver::disconnect()
https://bugs.webkit.org/show_bug.cgi?id=248111
rdar://100355921
Reviewed by Jonathan Bedard and Ryosuke Niwa.
Make sure we protect the intersection observers and resize observers before
calling disconnect() on them in Document::commonTeardown().
This is a speculative fix to address the crash in the radar, which I was
unable to reproduce.
* LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash-expected.txt: Added.
* LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash.html: Added.
Include test from the radar, even though it didn't reproduce the issue for me.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::commonTeardown):
Canonical link: https://commits.webkit.org/252432.841@safari-7614-branch
Commit: 2ee4be61cb23e858618fdc7c63b095e7635f6029
https://github.com/WebKit/WebKit/commit/2ee4be61cb23e858618fdc7c63b095e7635f6029
Author: Dan Glastonbury <djg at apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp
Log Message:
-----------
Cherry-pick 252432.896 at safari-7614-branch (91df735c5c49). rdar://98583503
[WebGL] Harden texImageImpl byte length calculation
rdar://98583503
Reviewed by Kimmo Kinnunen and Ryan Haddad.
The calculation of the image size has been validated earlier but out of an
abundance of caution, use checked arithmetic on size_t to perform calculation,
returning a GL error on overflow.
* Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::texImageImpl):
Calculate imagePixelsByteLength with checked arithmetic to catch integer
overflow.
Canonical link: https://commits.webkit.org/252432.896@safari-7614-branch
Commit: dfb14621447bf8d6f565cb8fac734ed9890e246e
https://github.com/WebKit/WebKit/commit/dfb14621447bf8d6f565cb8fac734ed9890e246e
Author: Alex Christensen <achristensen at apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M Source/WebKit/WebProcess/WebCoreSupport/SessionStateConversion.cpp
M Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardList.mm
Log Message:
-----------
Cherry-pick 252432.898 at safari-7614-branch (57748248ae92). https://bugs.webkit.org/show_bug.cgi?id=248664
Truncate title before adding to _WKSessionState
https://bugs.webkit.org/show_bug.cgi?id=248664
rdar://102444516
Reviewed by Chris Dumez, Mark Gee, and Jonathan Bedard.
Truncate the title to 1000 characters like we do everywhere else we send the title from the web content process.
* Source/WebKit/WebProcess/WebCoreSupport/SessionStateConversion.cpp:
(WebKit::toBackForwardListItemState):
* Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardList.mm:
(TEST):
Canonical link: https://commits.webkit.org/252432.898@safari-7614-branch
Commit: 35ecde32dfff55d1afd332047651da077426fb95
https://github.com/WebKit/WebKit/commit/35ecde32dfff55d1afd332047651da077426fb95
Author: Claudio Saavedra <csaavedra at igalia.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
A LayoutTests/http/tests/security/embedded-self-reference-after-url-modified-expected.txt
A LayoutTests/http/tests/security/embedded-self-reference-after-url-modified.html
M Source/WebCore/html/HTMLFrameOwnerElement.cpp
Log Message:
-----------
Cherry-pick 256843.2 at webkit-2022.12-embargoed (155bed739000). https://bugs.webkit.org/show_bug.cgi?id=248469
HTMLFrameOwnerElement: use Document::creationURL() for self-reference check
https://bugs.webkit.org/show_bug.cgi?id=248469
Reviewed by Darin Adler.
Document::url() can be changed through the History API, therefore it's not
a reliable source to verify whether a given URL is self-referencing. Use
creationURL instead, which is immutable.
* LayoutTests/http/tests/security/embedded-self-reference-after-url-modified-expected.txt: Added.
* LayoutTests/http/tests/security/embedded-self-reference-after-url-modified.html: Added.
* Source/WebCore/html/HTMLFrameOwnerElement.cpp:
(WebCore::HTMLFrameOwnerElement::isProhibitedSelfReference const):
Canonical link: https://commits.webkit.org/256843.2@webkit-2022.12-embargoed
Compare: https://github.com/WebKit/WebKit/compare/33fc68e77ae8...35ecde32dfff
More information about the webkit-changes
mailing list