[webkit-changes] [WebKit/WebKit] 34b806: Cherry-pick 265870.524 at safari-7616-branch (5a87cf9...
Michael Catanzaro
noreply at github.com
Thu Nov 2 17:20:26 PDT 2023
Branch: refs/heads/webkitglib/2.42
Home: https://github.com/WebKit/WebKit
Commit: 34b8065168e2805e611dbaaf2c85e31f212f594f
https://github.com/WebKit/WebKit/commit/34b8065168e2805e611dbaaf2c85e31f212f594f
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-11-02 (Thu, 02 Nov 2023)
Changed paths:
M Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp
M Source/WebCore/Modules/mediarecorder/MediaRecorder.h
M Source/WebCore/Modules/mediarecorder/MediaRecorderProvider.cpp
M Source/WebCore/Modules/mediarecorder/MediaRecorderProvider.h
M Source/WebCore/loader/EmptyClients.cpp
M Source/WebCore/platform/mediarecorder/MediaRecorderPrivate.h
M Source/WebCore/platform/mediarecorder/MediaRecorderPrivateAVFImpl.cpp
M Source/WebCore/platform/mediarecorder/MediaRecorderPrivateAVFImpl.h
M Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp
M Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.h
M Source/WebCore/platform/mediarecorder/MediaRecorderPrivateMock.cpp
M Source/WebCore/platform/mediarecorder/MediaRecorderPrivateMock.h
M Source/WebCore/testing/Internals.cpp
M Source/WebKit/WebProcess/GPU/webrtc/MediaRecorderPrivate.cpp
M Source/WebKit/WebProcess/GPU/webrtc/MediaRecorderPrivate.h
M Source/WebKit/WebProcess/GPU/webrtc/MediaRecorderProvider.cpp
M Source/WebKit/WebProcess/GPU/webrtc/MediaRecorderProvider.h
Log Message:
-----------
Cherry-pick 265870.524 at safari-7616-branch (5a87cf9c496f). https://bugs.webkit.org/show_bug.cgi?id=255629
Regression(264919 at main) Use-after-free of MediaRecorderPrivate in GPUProcessConnection::didClose()
https://bugs.webkit.org/show_bug.cgi?id=261224
rdar://114807341
Reviewed by Alex Christensen.
264919 at main made WebKit::MediaRecorderPrivate subclass ThreadSafeRefCountedAndCanMakeThreadSafeWeakPtr.
However, MediaRecorderPrivate is stored in std::unique_ptr<> throughout our code base, thus not obeying
the refcount when managing its lifetime. This was the source of use-after-frees in
GPUProcessConnection::didClose(), which held a strong Ref<> to the MediaRecorderPrivate but it wouldn't
prevent the object from dying.
To address the issue, we now use Ref<> / RefPtr<> everywhere for MediaRecorderPrivate. I also moved
ThreadSafeRefCountedAndCanMakeThreadSafeWeakPtr to the base class (WebCore::MediaRecorderPrivate) since
WebCore needs to know it can hold a Ref<> / RefPtr<> to such objects.
* Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:
(WebCore::MediaRecorder::createMediaRecorderPrivate):
(WebCore::MediaRecorder::fetchData):
* Source/WebCore/Modules/mediarecorder/MediaRecorder.h:
* Source/WebCore/Modules/mediarecorder/MediaRecorderProvider.cpp:
(WebCore::MediaRecorderProvider::createMediaRecorderPrivate):
* Source/WebCore/Modules/mediarecorder/MediaRecorderProvider.h:
* Source/WebCore/loader/EmptyClients.cpp:
* Source/WebCore/platform/mediarecorder/MediaRecorderPrivate.h:
* Source/WebCore/platform/mediarecorder/MediaRecorderPrivateAVFImpl.cpp:
(WebCore::MediaRecorderPrivateAVFImpl::create):
* Source/WebCore/platform/mediarecorder/MediaRecorderPrivateAVFImpl.h:
* Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp:
(WebCore::MediaRecorderPrivateGStreamer::create):
* Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.h:
* Source/WebCore/platform/mediarecorder/MediaRecorderPrivateMock.cpp:
(WebCore::MediaRecorderPrivateMock::create):
* Source/WebCore/platform/mediarecorder/MediaRecorderPrivateMock.h:
* Source/WebCore/testing/Internals.cpp:
(WebCore::createRecorderMockSource):
* Source/WebKit/WebProcess/GPU/webrtc/MediaRecorderPrivate.cpp:
(WebKit::MediaRecorderPrivate::create):
* Source/WebKit/WebProcess/GPU/webrtc/MediaRecorderPrivate.h:
* Source/WebKit/WebProcess/GPU/webrtc/MediaRecorderProvider.cpp:
(WebKit::MediaRecorderProvider::createMediaRecorderPrivate):
* Source/WebKit/WebProcess/GPU/webrtc/MediaRecorderProvider.h:
Canonical link: https://commits.webkit.org/265870.524@safari-7616-branch
Commit: 6ea0a0e43d3f4c70d4461832610f70c68c68fab9
https://github.com/WebKit/WebKit/commit/6ea0a0e43d3f4c70d4461832610f70c68c68fab9
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-11-02 (Thu, 02 Nov 2023)
Changed paths:
M Source/JavaScriptCore/wasm/WasmWorklist.cpp
M Source/JavaScriptCore/wasm/WasmWorklist.h
M Source/WTF/wtf/StdLibExtras.h
M Source/WebCore/Modules/indexeddb/client/IDBConnectionToServer.cpp
M Source/WebCore/Modules/push-api/ServiceWorkerRegistrationPushAPI.cpp
M Source/WebCore/css/CSSGroupingRule.cpp
M Source/WebCore/css/CSSKeyframesRule.cpp
M Source/WebCore/css/CSSStyleRule.cpp
M Source/WebCore/dom/DataTransfer.cpp
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/Element.cpp
M Source/WebCore/html/HTMLAnchorElement.cpp
M Source/WebCore/html/HTMLCanvasElement.cpp
M Source/WebCore/html/HTMLFormElement.cpp
M Source/WebCore/html/HTMLIFrameElement.cpp
M Source/WebCore/html/HTMLLinkElement.cpp
M Source/WebCore/html/HTMLOutputElement.cpp
M Source/WebCore/svg/SVGAElement.cpp
M Source/WebCore/xml/XMLHttpRequest.cpp
M Source/WebKit/WebProcess/GPU/GPUProcessConnection.cpp
M Source/WebKit/WebProcess/GPU/media/RemoteImageDecoderAVFManager.cpp
M Source/WebKit/WebProcess/GPU/media/RemoteImageDecoderAVFManager.h
M Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.cpp
M Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.h
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKit/WebProcess/WebProcess.cpp
M Source/WebKit/WebProcess/WebProcess.h
M Tools/TestWebKitAPI/Tests/WTF/HashMap.cpp
M Tools/TestWebKitAPI/Tests/WTF/HashSet.cpp
M Tools/TestWebKitAPI/Tests/WTF/RobinHoodHashMap.cpp
M Tools/TestWebKitAPI/Tests/WTF/RobinHoodHashSet.cpp
Log Message:
-----------
Fix bad cases of refcounted objects being stored in std::unique_ptr
https://bugs.webkit.org/show_bug.cgi?id=261280
rdar://115122287
Reviewed by David Kilzer and Alex Christensen.
In Bug 261224, I fixed a security bug where an object was refcounted but was
incorrectly stored in a std::unique_ptr<>, leading to use-after-frees.
In this patch, I am adding a check to WTF::makeUnique<T>() to fail if T::ref()
exists. This founds bugs / unsafe code, which I am fixing in this patch.
There is also a common pattern in our code where an object implements ref() &
deref() to forward the refcounting to their owner. In turn, the owner then owns
the object via a std::unique_ptr<>. This is obviously tripping my check and yet
this is usually safe. As a result, I am introducing a
makeUniqueWithoutRefCountedCheck() for these cases.
* Source/JavaScriptCore/wasm/WasmWorklist.cpp:
(JSC::Wasm::Worklist::Worklist):
* Source/JavaScriptCore/wasm/WasmWorklist.h:
* Source/WTF/wtf/StdLibExtras.h:
(WTF::makeUnique):
(WTF::makeUniqueWithoutRefCountedCheck):
(WTF::makeUniqueWithoutFastMallocCheck):
* Source/WebCore/Modules/indexeddb/client/IDBConnectionToServer.cpp:
(WebCore::IDBClient::IDBConnectionToServer::IDBConnectionToServer):
* Source/WebCore/Modules/push-api/ServiceWorkerRegistrationPushAPI.cpp:
(WebCore::ServiceWorkerRegistrationPushAPI::pushManager):
* Source/WebCore/css/CSSGroupingRule.cpp:
(WebCore::CSSGroupingRule::cssRules const):
* Source/WebCore/css/CSSKeyframesRule.cpp:
(WebCore::CSSKeyframesRule::cssRules):
* Source/WebCore/css/CSSStyleRule.cpp:
(WebCore::CSSStyleRule::cssRules const):
* Source/WebCore/dom/DataTransfer.cpp:
(WebCore::DataTransfer::items):
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::implementation):
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::attributes const):
(WebCore::Element::classList):
(WebCore::Element::part):
(WebCore::Element::dataset):
(WebCore::Element::ensureFormAssociatedCustomElement):
* Source/WebCore/html/HTMLAnchorElement.cpp:
(WebCore::HTMLAnchorElement::relList):
* Source/WebCore/html/HTMLCanvasElement.cpp:
(WebCore::HTMLCanvasElement::transferControlToOffscreen):
* Source/WebCore/html/HTMLFormElement.cpp:
(WebCore::HTMLFormElement::relList):
* Source/WebCore/html/HTMLIFrameElement.cpp:
(WebCore::HTMLIFrameElement::sandbox):
* Source/WebCore/html/HTMLLinkElement.cpp:
(WebCore::HTMLLinkElement::sizes):
(WebCore::HTMLLinkElement::relList):
* Source/WebCore/html/HTMLOutputElement.cpp:
(WebCore::HTMLOutputElement::htmlFor):
* Source/WebCore/svg/SVGAElement.cpp:
(WebCore::SVGAElement::relList):
* Source/WebCore/xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::upload):
* Source/WebKit/WebProcess/GPU/GPUProcessConnection.cpp:
(WebKit::GPUProcessConnection::mediaPlayerManager):
(WebKit::GPUProcessConnection::dispatchMessage):
* Source/WebKit/WebProcess/GPU/media/RemoteImageDecoderAVFManager.cpp:
(WebKit::RemoteImageDecoderAVFManager::create):
(WebKit::RemoteImageDecoderAVFManager::RemoteImageDecoderAVFManager): Deleted.
(WebKit::RemoteImageDecoderAVFManager::supplementName): Deleted.
* Source/WebKit/WebProcess/GPU/media/RemoteImageDecoderAVFManager.h:
* Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.cpp:
(WebKit::RemoteMediaPlayerManager::create):
(WebKit::RemoteMediaPlayerManager::RemoteMediaPlayerManager): Deleted.
(WebKit::RemoteMediaPlayerManager::~RemoteMediaPlayerManager): Deleted.
(WebKit::RemoteMediaPlayerManager::supplementName): Deleted.
* Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.h:
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::updatePreferences):
* Source/WebKit/WebProcess/WebProcess.cpp:
(WebKit::WebProcess::WebProcess):
(WebKit::WebProcess::initializeWebProcess):
* Source/WebKit/WebProcess/WebProcess.h:
(WebKit::WebProcess::remoteMediaPlayerManager):
(WebKit::WebProcess::remoteImageDecoderAVFManager):
* Tools/TestWebKitAPI/Tests/WTF/RobinHoodHashMap.cpp:
(TestWebKitAPI::TEST):
* Tools/TestWebKitAPI/Tests/WTF/RobinHoodHashSet.cpp:
(TestWebKitAPI::TEST):
Canonical link: https://commits.webkit.org/265870.533@safari-7616-branch
Commit: e2a2dcf04b9f7b15e47de15e5bc83c52a469862e
https://github.com/WebKit/WebKit/commit/e2a2dcf04b9f7b15e47de15e5bc83c52a469862e
Author: Michael Catanzaro <mcatanzaro at redhat.com>
Date: 2023-11-02 (Thu, 02 Nov 2023)
Changed paths:
M Source/WebCore/platform/audio/gstreamer/AudioSourceProviderGStreamer.h
M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h
Log Message:
-----------
Fix incorrect storage of AudioSourceProviderGStreamer
https://bugs.webkit.org/show_bug.cgi?id=264119
Unreviewed stable branch commit. We cannot store refcounted objects in a
std::unique_ptr since the object may be deleted with an outstanding
reference.
* Source/WebCore/platform/audio/gstreamer/AudioSourceProviderGStreamer.h:
* Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
(WebCore::MediaPlayerPrivateGStreamer::ensureAudioSourceProvider):
* Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h:
Commit: 2e71064c029466c901f55603355367d6362929e3
https://github.com/WebKit/WebKit/commit/2e71064c029466c901f55603355367d6362929e3
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-11-02 (Thu, 02 Nov 2023)
Changed paths:
M Source/WTF/wtf/Algorithms.h
M Source/WebCore/platform/audio/AudioArray.h
M Source/WebCore/platform/audio/AudioBus.cpp
M Source/WebCore/platform/audio/AudioChannel.h
M Source/WebCore/platform/audio/MultiChannelResampler.cpp
M Source/WebCore/platform/audio/MultiChannelResampler.h
M Source/WebCore/platform/audio/SincResampler.cpp
M Source/WebCore/platform/audio/SincResampler.h
Log Message:
-----------
Security hardening for SincResampler
https://bugs.webkit.org/show_bug.cgi?id=261317
rdar://105650262
Reviewed by David Kilzer and Darin Adler.
Do security hardening for SincResampler as we have evidence that we're getting
the logic wrong in some cases and doing a heap-buffer overflow WRITE.
This patch updates SincResampler to use `std::span<float>` instead of `float*` and
to leverage new memcpySpans() / memsetSpan() functions
I added to WTF.
This had several benefits:
- Using std::span means we don't lose tracks of our buffer bounds so we can do
extra bounds checks.
- We benefit from std::span's bounds checks too which are already enabled on trunk
via `-D_LIBCPP_ENABLE_ASSERTIONS=1`. Those checks apply to subspan() and operator[]
in particular, both of which are used by SincResampler.
* Source/WTF/WTF.xcodeproj/project.pbxproj:
* Source/WTF/wtf/Algorithms.h:.
(WTF::memcpySpans):
(WTF::memsetSpan):
* Source/WebCore/platform/audio/AudioArray.h:
(WebCore::AudioArray::toSpan):
(WebCore::AudioArray::toSpan const):
* Source/WebCore/platform/audio/AudioBus.cpp:
(WebCore::AudioBus::createBySampleRateConverting):
* Source/WebCore/platform/audio/AudioChannel.h:
* Source/WebCore/platform/audio/MultiChannelResampler.cpp:
(WebCore::MultiChannelResampler::process):
(WebCore::MultiChannelResampler::provideInputForChannel):
* Source/WebCore/platform/audio/MultiChannelResampler.h:
* Source/WebCore/platform/audio/SincResampler.cpp:
(WebCore::SincResampler::SincResampler):
(WebCore::SincResampler::updateRegions):
(WebCore::SincResampler::processBuffer):
(WebCore::SincResampler::process):
* Source/WebCore/platform/audio/SincResampler.h:
Canonical link: https://commits.webkit.org/265870.537@safari-7616-branch
Commit: c52c35eae9ab3df71d3fcac99c1c4dc85ef9493d
https://github.com/WebKit/WebKit/commit/c52c35eae9ab3df71d3fcac99c1c4dc85ef9493d
Author: David Kilzer <ddkilzer at apple.com>
Date: 2023-11-02 (Thu, 02 Nov 2023)
Changed paths:
M Source/WebCore/testing/js/WebCoreTestSupport.cpp
M Source/WebCore/testing/js/WebCoreTestSupport.h
Log Message:
-----------
Add test function for WebCore::SincResampler
https://bugs.webkit.org/show_bug.cgi?id=261702
<rdar://115682448>
Reviewed by Chris Dumez and Alex Christensen.
Add test method that calls SincResampler::processBuffer().
* Source/WebCore/testing/js/WebCoreTestSupport.cpp:
(WebCoreTestSupport::testSincResamplerProcessBuffer): Add.
* Source/WebCore/testing/js/WebCoreTestSupport.h:
(WebCoreTestSupport::testSincResamplerProcessBuffer): Add.
Canonical link: https://commits.webkit.org/265870.567@safari-7616-branch
Compare: https://github.com/WebKit/WebKit/compare/027d2d68cdf8...c52c35eae9ab
More information about the webkit-changes
mailing list