[webkit-changes] [WebKit/WebKit] e72817: Cherry-pick 252432.838 at safari-7614-branch (6651709...

Claudio Saavedra noreply at github.com
Tue Jan 31 04:41:04 PST 2023 

  Branch: refs/heads/webkitglib/2.38
  Home:   https://github.com/WebKit/WebKit
  Commit: e72817e76a462a0bfc9c1c5514c3f2f3479d10a7
      https://github.com/WebKit/WebKit/commit/e72817e76a462a0bfc9c1c5514c3f2f3479d10a7
  Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
  Date:   2023-01-31 (Tue, 31 Jan 2023)

  Changed paths:
    A LayoutTests/fast/forms/textfield-input-type-crash-onblur-expected.txt
    A LayoutTests/fast/forms/textfield-input-type-crash-onblur.html
    M Source/WebCore/html/HTMLInputElement.cpp
    M Source/WebCore/html/HTMLOptionElement.cpp
    M Source/WebCore/html/TextFieldInputType.cpp

  Log Message:
  -----------
  Cherry-pick 252432.838 at safari-7614-branch (665170902bfa). https://bugs.webkit.org/show_bug.cgi?id=247389

    UAF crash occurs during a style update when an older freed HTMLElement is accessed
    https://bugs.webkit.org/show_bug.cgi?id=247389
    rdar://101420898

    Reviewed by Ryosuke Niwa and Ryan Haddad.

    * LayoutTests/fast/forms/textfield-input-type-crash-onblur-expected.txt: Added.
    * LayoutTests/fast/forms/textfield-input-type-crash-onblur.html: Added.
    * Source/WebCore/html/HTMLInputElement.cpp:
    (WebCore::HTMLInputElement::dataListMayHaveChanged):
    * Source/WebCore/html/HTMLOptionElement.cpp:
    (WebCore::HTMLOptionElement::childrenChanged):
    * Source/WebCore/html/TextFieldInputType.cpp:
    (WebCore::TextFieldInputType::createDataListDropdownIndicator):
    (WebCore::TextFieldInputType::dataListMayHaveChanged):

    Canonical link: https://commits.webkit.org/252432.838@safari-7614-branch


  Commit: ee69ee950363d4ec41fbc397b841aa21c303eb59
      https://github.com/WebKit/WebKit/commit/ee69ee950363d4ec41fbc397b841aa21c303eb59
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-01-31 (Tue, 31 Jan 2023)

  Changed paths:
    A LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash-expected.txt
    A LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash.html
    M Source/WebCore/dom/Document.cpp

  Log Message:
  -----------
  Cherry-pick 252432.841 at safari-7614-branch (a47510d4bcf4). https://bugs.webkit.org/show_bug.cgi?id=248111

    Fix potential crash under IntersectionObserver::disconnect()
    https://bugs.webkit.org/show_bug.cgi?id=248111
    rdar://100355921

    Reviewed by Jonathan Bedard and Ryosuke Niwa.

    Make sure we protect the intersection observers and resize observers before
    calling disconnect() on them in Document::commonTeardown().

    This is a speculative fix to address the crash in the radar, which I was
    unable to reproduce.

    * LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash-expected.txt: Added.
    * LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash.html: Added.
    Include test from the radar, even though it didn't reproduce the issue for me.

    * Source/WebCore/dom/Document.cpp:
    (WebCore::Document::commonTeardown):

    Canonical link: https://commits.webkit.org/252432.841@safari-7614-branch


  Commit: 2ee4be61cb23e858618fdc7c63b095e7635f6029
      https://github.com/WebKit/WebKit/commit/2ee4be61cb23e858618fdc7c63b095e7635f6029
  Author: Dan Glastonbury <djg at apple.com>
  Date:   2023-01-31 (Tue, 31 Jan 2023)

  Changed paths:
    M Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp

  Log Message:
  -----------
  Cherry-pick 252432.896 at safari-7614-branch (91df735c5c49). rdar://98583503

    [WebGL] Harden texImageImpl byte length calculation
    rdar://98583503

    Reviewed by Kimmo Kinnunen and Ryan Haddad.

    The calculation of the image size has been validated earlier but out of an
    abundance of caution, use checked arithmetic on size_t to perform calculation,
    returning a GL error on overflow.

    * Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:
    (WebCore::WebGLRenderingContextBase::texImageImpl):
    Calculate imagePixelsByteLength with checked arithmetic to catch integer
    overflow.

    Canonical link: https://commits.webkit.org/252432.896@safari-7614-branch


  Commit: dfb14621447bf8d6f565cb8fac734ed9890e246e
      https://github.com/WebKit/WebKit/commit/dfb14621447bf8d6f565cb8fac734ed9890e246e
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2023-01-31 (Tue, 31 Jan 2023)

  Changed paths:
    M Source/WebKit/WebProcess/WebCoreSupport/SessionStateConversion.cpp
    M Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardList.mm

  Log Message:
  -----------
  Cherry-pick 252432.898 at safari-7614-branch (57748248ae92). https://bugs.webkit.org/show_bug.cgi?id=248664

    Truncate title before adding to _WKSessionState
    https://bugs.webkit.org/show_bug.cgi?id=248664
    rdar://102444516

    Reviewed by Chris Dumez, Mark Gee, and Jonathan Bedard.

    Truncate the title to 1000 characters like we do everywhere else we send the title from the web content process.

    * Source/WebKit/WebProcess/WebCoreSupport/SessionStateConversion.cpp:
    (WebKit::toBackForwardListItemState):
    * Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardList.mm:
    (TEST):

    Canonical link: https://commits.webkit.org/252432.898@safari-7614-branch


  Commit: 35ecde32dfff55d1afd332047651da077426fb95
      https://github.com/WebKit/WebKit/commit/35ecde32dfff55d1afd332047651da077426fb95
  Author: Claudio Saavedra <csaavedra at igalia.com>
  Date:   2023-01-31 (Tue, 31 Jan 2023)

  Changed paths:
    A LayoutTests/http/tests/security/embedded-self-reference-after-url-modified-expected.txt
    A LayoutTests/http/tests/security/embedded-self-reference-after-url-modified.html
    M Source/WebCore/html/HTMLFrameOwnerElement.cpp

  Log Message:
  -----------
  Cherry-pick 256843.2 at webkit-2022.12-embargoed (155bed739000). https://bugs.webkit.org/show_bug.cgi?id=248469

    HTMLFrameOwnerElement: use Document::creationURL() for self-reference check
    https://bugs.webkit.org/show_bug.cgi?id=248469

    Reviewed by Darin Adler.

    Document::url() can be changed through the History API, therefore it's not
    a reliable source to verify whether a given URL is self-referencing. Use
    creationURL instead, which is immutable.

    * LayoutTests/http/tests/security/embedded-self-reference-after-url-modified-expected.txt: Added.
    * LayoutTests/http/tests/security/embedded-self-reference-after-url-modified.html: Added.
    * Source/WebCore/html/HTMLFrameOwnerElement.cpp:
    (WebCore::HTMLFrameOwnerElement::isProhibitedSelfReference const):

    Canonical link: https://commits.webkit.org/256843.2@webkit-2022.12-embargoed


Compare: https://github.com/WebKit/WebKit/compare/33fc68e77ae8...35ecde32dfff

More information about the webkit-changes mailing list