[webkit-changes] [WebKit/WebKit] 579746: Data Isolation/PSON bypass due to UI-side PageLoad...
Alan Baradlay
noreply at github.com
Mon Oct 9 13:29:32 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 57974637773d4ac594a1775866b9cb3a3656037c
https://github.com/WebKit/WebKit/commit/57974637773d4ac594a1775866b9cb3a3656037c
Author: Charlie Wolfe <charliew at apple.com>
Date: 2023-10-09 (Mon, 09 Oct 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Data Isolation/PSON bypass due to UI-side PageLoadState state-machine relying on data which is distinct from that used to make Policy/Network Load decisions
https://bugs.webkit.org/show_bug.cgi?id=257732
rdar://107186055
Reviewed by Chris Dumez.
When `didStartProvisionalLoadForFrame` is called, pageLoadState is updated to store the provisional URL
with a value passed from the web process. This URL is later consulted in `processForNavigationInternal`
when determining if the navigation is same-site. Since this URL is coming from the web process, we
should verify that the URL has not been changed from when it was set on the navigation object in
`decidePolicyForNavigationAction`.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didStartProvisionalLoadForFrameShared):
Originally-landed-as: 265870.10 at safari-7616-branch (b5aa6d4342b7). rdar://116424252
Canonical link: https://commits.webkit.org/269100@main
Commit: d120c8413d8434b8547cc82ca6856679f2563752
https://github.com/WebKit/WebKit/commit/d120c8413d8434b8547cc82ca6856679f2563752
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-10-09 (Mon, 09 Oct 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
MESSAGE_CHECK() originalURLString in WebPageProxy::backForwardAddItemShared()
https://bugs.webkit.org/show_bug.cgi?id=259111
rdar://112058151
Reviewed by Brent Fulgham.
MESSAGE_CHECK() originalURLString in WebPageProxy::backForwardAddItemShared()
as hardening, the same way we already do for urlString.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::backForwardAddItemShared):
Originally-landed-as: 265870.12 at safari-7616-branch (3f548e40249b). rdar://116424474
Canonical link: https://commits.webkit.org/269101@main
Commit: c031542a9d50bb2a0c103818d0a88838b54ff794
https://github.com/WebKit/WebKit/commit/c031542a9d50bb2a0c103818d0a88838b54ff794
Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
Date: 2023-10-09 (Mon, 09 Oct 2023)
Changed paths:
A LayoutTests/http/wpt/webcodecs/I420ToNV12-convert-heap-buffer-overflow-expected.txt
A LayoutTests/http/wpt/webcodecs/I420ToNV12-convert-heap-buffer-overflow.html
M Source/ThirdParty/libwebrtc/Source/webrtc/sdk/WebKit/WebKitUtilities.mm
M Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp
Log Message:
-----------
Heap-buffer-overflow in I420ToNV12 when the length of the given data buffer is higher than allocation size but lower than the product of width and height of the videoframe.
https://bugs.webkit.org/show_bug.cgi?id=257548.
rdar://109886863.
Reviewed by Youenn Fablet.
This change add a check to see if the given data buffer is longer than width*height inorder to avoid the out of bounds access of the buffer.
* LayoutTests/imported/w3c/web-platform-tests/webcodecs/I420ToNV12-heap-buffer-overflow-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/webcodecs/I420ToNV12-heap-buffer-overflow.html: Added.
* Source/ThirdParty/libwebrtc/Source/webrtc/sdk/WebKit/WebKitUtilities.mm:
(webrtc::pixelBufferFromI420Buffer):
Originally-landed-as: 265870.56 at safari-7616-branch (430e9edcf1f4). rdar://116424551
Canonical link: https://commits.webkit.org/269102@main
Commit: 176844ce6b7081d18c274f3c391b5c3a81f84f2c
https://github.com/WebKit/WebKit/commit/176844ce6b7081d18c274f3c391b5c3a81f84f2c
Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
Date: 2023-10-09 (Mon, 09 Oct 2023)
Changed paths:
A LayoutTests/http/wpt/webcodecs/createNV12-heap-buffer-overflow-expected.txt
A LayoutTests/http/wpt/webcodecs/createNV12-heap-buffer-overflow.html
M Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp
M Source/WebCore/platform/graphics/cv/VideoFrameCV.mm
Log Message:
-----------
Heap-buffer-overflow in WebCore::VideoFrame::createNV12.
https://bugs.webkit.org/show_bug.cgi?id=257550.
rdar://110003963 (jsc_fuz/wktr: heap-buffer-overflow in WebCore::VideoFrame::createNV12()).
Reviewed by Youenn Fablet.
This change add a check to see if the given data buffer is longer than width*height inorder to avoid the out of bounds access of the data buffer..
* LayoutTests/imported/w3c/web-platform-tests/webcodecs/createNV12-heap-buffer-overflow-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/webcodecs/createNV12-heap-buffer-overflow.html: Added.
* Source/WebCore/platform/graphics/cv/VideoFrameCV.mm:
(WebCore::VideoFrame::createNV12):
Originally-landed-as: 265870.60 at safari-7616-branch (6a266ad796ff). rdar://116424723
Canonical link: https://commits.webkit.org/269103@main
Commit: 089727e3a24abd707bc0ccc4d033c6a5c3b9e8b5
https://github.com/WebKit/WebKit/commit/089727e3a24abd707bc0ccc4d033c6a5c3b9e8b5
Author: Alan Baradlay <zalan at apple.com>
Date: 2023-10-09 (Mon, 09 Oct 2023)
Changed paths:
A LayoutTests/fast/multicol/crash-when-legend-is-present-expected.txt
A LayoutTests/fast/multicol/crash-when-legend-is-present.html
M Source/WebCore/rendering/updating/RenderTreeBuilderMultiColumn.cpp
Log Message:
-----------
Legends could be valid non-spanner siblings of RenderMultiColumnSet
https://bugs.webkit.org/show_bug.cgi?id=258675
<rdar://111221306>
Reviewed by Antti Koivisto.
We usually construct one RenderMultiColumnSet renderer for a multi-column context.
e.g:
<div style="column-count: 2">
<div></div>
<div></div>
<div></div>
</div>
generates the following render tree structure:
DIV RenderBlockFlow
RenderMultiColumnFlowThread
DIV RenderBlockFlow
DIV RenderBlockFlow
DIV RenderBlockFlow
RenderMultiColumnSet
We also construct RenderMultiColumnSets for column spanners
e.g.
<div style="column-count: 2">
<div style="column-span: all"></div>
<div></div>
<div></div>
</div>
where the spanner is moved out of the column context indicating it spans all the columns
DIV RenderBlockFlow
RenderMultiColumnFlowThread
RenderMultiColumnSpannerPlaceholder (this is the <div>'s original insertion point)
DIV RenderBlockFlow
DIV RenderBlockFlow
RenderMultiColumnSet
DIV RenderBlockFlow (moved out column spanner)
RenderMultiColumnSet
However since <legend> does not participate in multi-column, it does _not_ get moved under RenderMultiColumnFlowThread when constructing the multi-column context
and ends up being a sibling of the RenderMultiColumnSet.
e.g.
FIELDSET RenderFieldSet
RenderMultiColumnFlowThread
RenderBlock
RenderMultiColumnSet
LEGEND RenderBlock
and later it gets mistaken for a column spanner and as the result we construct a redundant RenderMultiColumnSet.
This patch handles this case by checking against legend siblings.
* LayoutTests/fast/multicol/crash-when-legend-is-present-expected.txt: Added.
* LayoutTests/fast/multicol/crash-when-legend-is-present.html: Added.
* Source/WebCore/rendering/updating/RenderTreeBuilderMultiColumn.cpp:
(WebCore::RenderTreeBuilder::MultiColumn::processPossibleSpannerDescendant):
Originally-landed-as: 265870.61 at safari-7616-branch (9ff2ba06a74f). rdar://116424838
Canonical link: https://commits.webkit.org/269104@main
Compare: https://github.com/WebKit/WebKit/compare/08d5d17c766f...089727e3a24a
More information about the webkit-changes
mailing list