[webkit-changes] [WebKit/WebKit] 4899da: Fix equals() for GlyphDisplayListCacheEntryHash
Chirag Shah
noreply at github.com
Mon May 22 13:43:14 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4899da4a450aca002aebb22cb19b4d1437e48eab
https://github.com/WebKit/WebKit/commit/4899da4a450aca002aebb22cb19b4d1437e48eab
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-05-22 (Mon, 22 May 2023)
Changed paths:
A LayoutTests/fast/rendering/glyph-display-list-cache-crash-expected.txt
A LayoutTests/fast/rendering/glyph-display-list-cache-crash.html
M Source/WebCore/rendering/GlyphDisplayListCache.h
Log Message:
-----------
Fix equals() for GlyphDisplayListCacheEntryHash
https://bugs.webkit.org/show_bug.cgi?id=254941
rdar://107416408
Reviewed by Cameron McCormack.
This change fixes a heap use after free in GlyphDisplayListCache, which
happens when the destructor of GlyphDisplayListCacheEntry tries to
remove this from the HashSet<GlyphDisplayListCacheEntry*>. The change
fixes the security issue by correcting the equal() implementation, which
now only checks for pointer equality.
* LayoutTests/fast/rendering/glyph-display-list-cache-crash-expected.txt: Added.
* LayoutTests/fast/rendering/glyph-display-list-cache-crash.html: Added.
* Source/WebCore/rendering/GlyphDisplayListCache.h:
(WebCore::GlyphDisplayListCacheEntryHash::equal):
Originally-landed-as: 259548.555 at safari-7615-branch (707d4fb8838c). rdar://107416408
Canonical link: https://commits.webkit.org/264366@main
More information about the webkit-changes
mailing list