[webkit-changes] [WebKit/WebKit] 784f2d: Crash under SVGImageChromeClient::invalidateConten...

Chirag Shah noreply at github.com
Mon Oct 9 13:19:39 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 784f2d33e59cc08ee43227f5730de71b9d71b4f8
      https://github.com/WebKit/WebKit/commit/784f2d33e59cc08ee43227f5730de71b9d71b4f8
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-10-09 (Mon, 09 Oct 2023)

  Changed paths:
    M Source/WebCore/html/ImageBitmap.cpp
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
    M Source/WebCore/loader/cache/CachedImage.h
    M Source/WebCore/platform/graphics/BitmapImage.cpp
    M Source/WebCore/platform/graphics/GraphicsContextGL.cpp
    M Source/WebCore/platform/graphics/Image.cpp
    M Source/WebCore/platform/graphics/Image.h
    M Source/WebCore/platform/graphics/ImageObserver.h
    M Source/WebCore/platform/graphics/ImageSource.cpp
    M Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp
    M Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp
    M Source/WebCore/svg/graphics/SVGImage.cpp
    M Source/WebCore/svg/graphics/SVGImageClients.h
    M Tools/TestWebKitAPI/Tests/WebCore/SVGImageCasts.cpp

  Log Message:
  -----------
  Crash under SVGImageChromeClient::invalidateContentsAndRootView()
https://bugs.webkit.org/show_bug.cgi?id=258992
rdar://111456803

Reviewed by David Kilzer.

Do hardening by deploying WeakPtr instead of raw pointers for
SVGImage and ImageObserver. Also make it so that we can ref
an ImageObserver.

* Source/WebCore/html/ImageBitmap.cpp:
* Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
(WebCore::CanvasRenderingContext2DBase::drawImage):
* Source/WebCore/loader/cache/CachedImage.h:
* Source/WebCore/platform/graphics/BitmapImage.cpp:
(WebCore::BitmapImage::draw):
(WebCore::BitmapImage::drawPattern):
(WebCore::BitmapImage::internalAdvanceAnimation):
(WebCore::BitmapImage::imageFrameAvailableAtIndex):
* Source/WebCore/platform/graphics/GraphicsContextGL.cpp:
(WebCore::GraphicsContextGL::packImageData):
* Source/WebCore/platform/graphics/Image.cpp:
(WebCore::Image::imageObserver const):
(WebCore::Image::setImageObserver):
(WebCore::Image::drawPattern):
* Source/WebCore/platform/graphics/Image.h:
(WebCore::Image::imageObserver const): Deleted.
(WebCore::Image::setImageObserver): Deleted.
* Source/WebCore/platform/graphics/ImageObserver.h:
(WebCore::ImageObserver::ref):
(WebCore::ImageObserver::deref):
* Source/WebCore/platform/graphics/ImageSource.cpp:
(WebCore::ImageSource::encodedDataStatusChanged):
(WebCore::ImageSource::decodedSizeChanged):
* Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp:
(WebCore::PDFDocumentImage::decodedSizeChanged):
(WebCore::PDFDocumentImage::draw):
* Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp:
(WebCore::TextureMapperTiledBackingStore::updateContentsFromImageIfNeeded):
* Source/WebCore/svg/graphics/SVGImage.cpp:
(WebCore::SVGImage::drawForContainer):
(WebCore::SVGImage::nativeImage):
(WebCore::SVGImage::draw):
(WebCore::SVGImage::dataChanged):
* Source/WebCore/svg/graphics/SVGImageClients.h:
* Tools/TestWebKitAPI/Tests/WebCore/SVGImageCasts.cpp:
(TestWebKitAPI::TestImageObserver::create):
(TestWebKitAPI::TEST):

Originally-landed-as: 265870.5 at safari-7616-branch (a06556a11b58). rdar://116423674
Canonical link: https://commits.webkit.org/269092@main


  Commit: 5837018e94d0032fd30410fcdb1da5569c4e214d
      https://github.com/WebKit/WebKit/commit/5837018e94d0032fd30410fcdb1da5569c4e214d
  Author: Jer Noble <jer.noble at apple.com>
  Date:   2023-10-09 (Mon, 09 Oct 2023)

  Changed paths:
    M Source/WebKit/UIProcess/mac/WKFullScreenWindowController.mm

  Log Message:
  -----------
  [macOS] Do not attempt to create and restore "NSAutoresizingMaskLayoutConstraint" constraints when entering fullscreen
https://bugs.webkit.org/show_bug.cgi?id=257942
rdar://107387499

Reviewed by Eric Carlson.

These constraints are created by the NSView's autoresizingMask property, and will be re-created
with the correct contents when the view is restored to its original heirarchy.

* Source/WebKit/UIProcess/mac/WKFullScreenWindowController.mm:
(-[WKFullScreenWindowController enterFullScreen:]):
(-[WKFullScreenWindowController _saveConstraintsOf:]):

Originally-landed-as: 265870.6 at safari-7616-branch (9508936a5222). rdar://116423781
Canonical link: https://commits.webkit.org/269093@main


  Commit: 9cefcf4d2bb361b2075a899e10798b8edea5e123
      https://github.com/WebKit/WebKit/commit/9cefcf4d2bb361b2075a899e10798b8edea5e123
  Author: Jer Noble <jer.noble at apple.com>
  Date:   2023-10-09 (Mon, 09 Oct 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/iso/ISOVTTCue.cpp

  Log Message:
  -----------
  Crash due to massive allocation in ISOStringBox::parse()
https://bugs.webkit.org/show_bug.cgi?id=258677
rdar://111171885

Reviewed by Eric Carlson.

A malformed or malicious box may report a m_size larger than
the memory passed into the parser. In this case, do not attempt
to create a larger destination than is available in the source
buffer.

* Source/WebCore/platform/graphics/iso/ISOVTTCue.cpp:

Originally-landed-as: 265870.7 at safari-7616-branch (591d9d68abe9). rdar://116423868
Canonical link: https://commits.webkit.org/269094@main


  Commit: b84646b46b5479dab18e1ee608ed7d15f482f5e9
      https://github.com/WebKit/WebKit/commit/b84646b46b5479dab18e1ee608ed7d15f482f5e9
  Author: Chirag M Shah <chirag_m_shah at apple.com>
  Date:   2023-10-09 (Mon, 09 Oct 2023)

  Changed paths:
    M Tools/TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp

  Log Message:
  -----------
  Fix stack-overflow when dealing with blobURL(s)
https://bugs.webkit.org/show_bug.cgi?id=258895
rdar://111440239

Reviewed by Chris Dumez.

This change fixes the stack overflow when checking for whether a blobURL
is secure.

* Source/WebCore/fileapi/BlobURL.cpp:
(WebCore::BlobURL::isSecureBlobURL):
* Tools/TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp:
(TestWebKitAPI::TEST_F):

Originally-landed-as: 265870.8 at safari-7616-branch (551b1fd24102). rdar://116423986
Canonical link: https://commits.webkit.org/269095@main


  Commit: 946b13e5e935e2ab712e25d43a4b1e0479d82acf
      https://github.com/WebKit/WebKit/commit/946b13e5e935e2ab712e25d43a4b1e0479d82acf
  Author: Chirag M Shah <chirag_m_shah at apple.com>
  Date:   2023-10-09 (Mon, 09 Oct 2023)

  Changed paths:
    A LayoutTests/storage/indexeddb/memory-backing-store-crash-expected.txt
    A LayoutTests/storage/indexeddb/memory-backing-store-crash.html
    M Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp

  Log Message:
  -----------
  Fix heap-use-after-free MemoryIDBBackingStore
https://bugs.webkit.org/show_bug.cgi?id=258583
rdar://109095466

Reviewed by Brady Eidson.

We delete the object store in MemoryIDBBackingStore::deleteObjectStore
but can still end up dereferencing the dangling pointer in
MemoryBackingStoreTransaction::abort when going through
m_originalObjectStoreNames. This change removes the deleted object
store's pointer from m_originalObjectStoreNames so we don't hold on to
anything we shouldn't de-reference, and hence fixes the heap
use-after-free.

* Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp:
(WebCore::IDBServer::MemoryBackingStoreTransaction::objectStoreDeleted):
* LayoutTests/storage/indexeddb/memory-backing-store-crash-expected.txt: Added.
* LayoutTests/storage/indexeddb/memory-backing-store-crash.html: Added.

Originally-landed-as: 265870.9 at safari-7616-branch (d372d5ed86fe). rdar://116424113
Canonical link: https://commits.webkit.org/269096@main


Compare: https://github.com/WebKit/WebKit/compare/dd54547c2b7b...946b13e5e935

More information about the webkit-changes mailing list