[webkit-changes] [WebKit/WebKit] 9fe118: Fix heap-use-after-free MediaPlayer/MediaPlayerPri...

Alex Christensen noreply at github.com
Thu May 25 08:19:06 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 9fe1180072fb102197c24ab84015c31d2423b2d3
      https://github.com/WebKit/WebKit/commit/9fe1180072fb102197c24ab84015c31d2423b2d3
  Author: Chirag M Shah <chirag_m_shah at apple.com>
  Date:   2023-05-25 (Thu, 25 May 2023)

  Changed paths:
    M Source/WebCore/html/HTMLMediaElement.cpp
    M Source/WebCore/platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.h
    M Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.h
    M Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaStreamAVFObjC.h
    M Source/WebCore/platform/graphics/cocoa/MediaPlayerPrivateWebM.h
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h
    M Source/WebCore/platform/graphics/holepunch/MediaPlayerPrivateHolePunch.h
    M Source/WebCore/platform/graphics/win/MediaPlayerPrivateMediaFoundation.h
    M Source/WebCore/platform/mock/mediasource/MockMediaPlayerMediaSource.h

  Log Message:
  -----------
  Fix heap-use-after-free MediaPlayer/MediaPlayerPrivateMediaStreamAVFObjC
https://bugs.webkit.org/show_bug.cgi?id=254954
rdar://107363228

Reviewed by Youenn Fablet.

This change fixes a UAF issue which happens when
processNewVideoFrame() ends up using a free'd MediaPlayer because it
used to store a raw pointer to that object. This change adopts a WeakPtr
for that, so that ownership semantics are clear. Also, a change in
attribute will result in a call to attributeChanged which results in a
call to createMediaPlayer(). At this point, we need to clear the
existing MediaPlayer, and invalidate it so that the m_client isn't left
dangling.

* Source/WebCore/html/HTMLMediaElement.cpp:
* Source/WebCore/platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.h:
(WebCore::MediaPlayerPrivateAVFoundation::player):
(WebCore::MediaPlayerPrivateAVFoundation::player const):
* Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.h:
* Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaStreamAVFObjC.h:
* Source/WebCore/platform/graphics/cocoa/MediaPlayerPrivateWebM.h:
* Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h:
* Source/WebCore/platform/graphics/holepunch/MediaPlayerPrivateHolePunch.h:
* Source/WebCore/platform/graphics/win/MediaPlayerPrivateMediaFoundation.h:
* Source/WebCore/platform/mock/mediasource/MockMediaPlayerMediaSource.h:

Originally-landed-as: 259548.573 at safari-7615-branch (8317512066d2). rdar://105876245
Canonical link: https://commits.webkit.org/264515@main


  Commit: c4e8233ea43fde19c37de6d78b3b2b505d290853
      https://github.com/WebKit/WebKit/commit/c4e8233ea43fde19c37de6d78b3b2b505d290853
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2023-05-25 (Thu, 25 May 2023)

  Changed paths:
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp

  Log Message:
  -----------
  CodeBlock::baselineAlternative() lookup only needs an if statement.
https://bugs.webkit.org/show_bug.cgi?id=255030
<rdar://problem/107657983>

Reviewed by Justin Michaud and Yusuke Suzuki.

There is only ever 1 possible alternative i.e. the baseline CodeBlock.  Since there is
none beyond that, there is no need to loop here.

* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setAlternative):
(JSC::CodeBlock::baselineAlternative):

Originally-landed-as: 259548.581 at safari-7615-branch (1698533dc391). rdar://107657983
Canonical link: https://commits.webkit.org/264516@main


  Commit: 83cfb2d0ade5487c5eb82cb3e3eef57974ccde51
      https://github.com/WebKit/WebKit/commit/83cfb2d0ade5487c5eb82cb3e3eef57974ccde51
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2023-05-25 (Thu, 25 May 2023)

  Changed paths:
    M Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp

  Log Message:
  -----------
  Network process should only consider web archives to have been loaded if loaded using local scheme
https://bugs.webkit.org/show_bug.cgi?id=255459
rdar://106952778

Reviewed by John Pascoe.

Adding the scheme check matches the check in DocumentLoader::disallowWebArchive

* Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::didReceiveMainResourceResponse):

Originally-landed-as: 259548.637 at safari-7615-branch (2aa0035b7a09). rdar://105876245
Canonical link: https://commits.webkit.org/264517@main


Compare: https://github.com/WebKit/WebKit/compare/d72386bb1e65...83cfb2d0ade5

More information about the webkit-changes mailing list