[webkit-changes] [WebKit/WebKit] 579746: Data Isolation/PSON bypass due to UI-side PageLoad...

Alan Baradlay noreply at github.com
Mon Oct 9 13:29:32 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 57974637773d4ac594a1775866b9cb3a3656037c
      https://github.com/WebKit/WebKit/commit/57974637773d4ac594a1775866b9cb3a3656037c
  Author: Charlie Wolfe <charliew at apple.com>
  Date:   2023-10-09 (Mon, 09 Oct 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  Data Isolation/PSON bypass due to UI-side PageLoadState state-machine relying on data which is distinct from that used to make Policy/Network Load decisions
https://bugs.webkit.org/show_bug.cgi?id=257732
rdar://107186055

Reviewed by Chris Dumez.

When `didStartProvisionalLoadForFrame` is called, pageLoadState is updated to store the provisional URL
with a value passed from the web process. This URL is later consulted in `processForNavigationInternal`
when determining if the navigation is same-site. Since this URL is coming from the web process, we
should verify that the URL has not been changed from when it was set on the navigation object in
`decidePolicyForNavigationAction`.

* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didStartProvisionalLoadForFrameShared):

Originally-landed-as: 265870.10 at safari-7616-branch (b5aa6d4342b7). rdar://116424252
Canonical link: https://commits.webkit.org/269100@main


  Commit: d120c8413d8434b8547cc82ca6856679f2563752
      https://github.com/WebKit/WebKit/commit/d120c8413d8434b8547cc82ca6856679f2563752
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-10-09 (Mon, 09 Oct 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  MESSAGE_CHECK() originalURLString in WebPageProxy::backForwardAddItemShared()
https://bugs.webkit.org/show_bug.cgi?id=259111
rdar://112058151

Reviewed by Brent Fulgham.

MESSAGE_CHECK() originalURLString in WebPageProxy::backForwardAddItemShared()
as hardening, the same way we already do for urlString.

* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::backForwardAddItemShared):

Originally-landed-as: 265870.12 at safari-7616-branch (3f548e40249b). rdar://116424474
Canonical link: https://commits.webkit.org/269101@main


  Commit: c031542a9d50bb2a0c103818d0a88838b54ff794
      https://github.com/WebKit/WebKit/commit/c031542a9d50bb2a0c103818d0a88838b54ff794
  Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
  Date:   2023-10-09 (Mon, 09 Oct 2023)

  Changed paths:
    A LayoutTests/http/wpt/webcodecs/I420ToNV12-convert-heap-buffer-overflow-expected.txt
    A LayoutTests/http/wpt/webcodecs/I420ToNV12-convert-heap-buffer-overflow.html
    M Source/ThirdParty/libwebrtc/Source/webrtc/sdk/WebKit/WebKitUtilities.mm
    M Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp

  Log Message:
  -----------
  Heap-buffer-overflow in I420ToNV12 when the length of the given data buffer is higher than allocation size but lower than the product of width and height of the videoframe.
https://bugs.webkit.org/show_bug.cgi?id=257548.
rdar://109886863.

Reviewed by Youenn Fablet.

This change add a check to see if the given data buffer is longer than width*height inorder to avoid the out of bounds access of the buffer.

* LayoutTests/imported/w3c/web-platform-tests/webcodecs/I420ToNV12-heap-buffer-overflow-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/webcodecs/I420ToNV12-heap-buffer-overflow.html: Added.
* Source/ThirdParty/libwebrtc/Source/webrtc/sdk/WebKit/WebKitUtilities.mm:
    (webrtc::pixelBufferFromI420Buffer):

Originally-landed-as: 265870.56 at safari-7616-branch (430e9edcf1f4). rdar://116424551
Canonical link: https://commits.webkit.org/269102@main


  Commit: 176844ce6b7081d18c274f3c391b5c3a81f84f2c
      https://github.com/WebKit/WebKit/commit/176844ce6b7081d18c274f3c391b5c3a81f84f2c
  Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
  Date:   2023-10-09 (Mon, 09 Oct 2023)

  Changed paths:
    A LayoutTests/http/wpt/webcodecs/createNV12-heap-buffer-overflow-expected.txt
    A LayoutTests/http/wpt/webcodecs/createNV12-heap-buffer-overflow.html
    M Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp
    M Source/WebCore/platform/graphics/cv/VideoFrameCV.mm

  Log Message:
  -----------
  Heap-buffer-overflow in WebCore::VideoFrame::createNV12.
https://bugs.webkit.org/show_bug.cgi?id=257550.
rdar://110003963 (jsc_fuz/wktr: heap-buffer-overflow in WebCore::VideoFrame::createNV12()).

Reviewed by Youenn Fablet.

This change add a check to see if the given data buffer is longer than width*height inorder to avoid the out of bounds access of the data buffer..

* LayoutTests/imported/w3c/web-platform-tests/webcodecs/createNV12-heap-buffer-overflow-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/webcodecs/createNV12-heap-buffer-overflow.html: Added.
* Source/WebCore/platform/graphics/cv/VideoFrameCV.mm:
(WebCore::VideoFrame::createNV12):

Originally-landed-as: 265870.60 at safari-7616-branch (6a266ad796ff). rdar://116424723
Canonical link: https://commits.webkit.org/269103@main


  Commit: 089727e3a24abd707bc0ccc4d033c6a5c3b9e8b5
      https://github.com/WebKit/WebKit/commit/089727e3a24abd707bc0ccc4d033c6a5c3b9e8b5
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2023-10-09 (Mon, 09 Oct 2023)

  Changed paths:
    A LayoutTests/fast/multicol/crash-when-legend-is-present-expected.txt
    A LayoutTests/fast/multicol/crash-when-legend-is-present.html
    M Source/WebCore/rendering/updating/RenderTreeBuilderMultiColumn.cpp

  Log Message:
  -----------
  Legends could be valid non-spanner siblings of RenderMultiColumnSet
https://bugs.webkit.org/show_bug.cgi?id=258675
<rdar://111221306>

Reviewed by Antti Koivisto.

We usually construct one RenderMultiColumnSet renderer for a multi-column context.

e.g:
<div style="column-count: 2">
  <div></div>
  <div></div>
  <div></div>
</div>

generates the following render tree structure:

DIV RenderBlockFlow
  RenderMultiColumnFlowThread
    DIV RenderBlockFlow
    DIV RenderBlockFlow
    DIV RenderBlockFlow
  RenderMultiColumnSet

We also construct RenderMultiColumnSets for column spanners
e.g.
<div style="column-count: 2">
  <div style="column-span: all"></div>
  <div></div>
  <div></div>
</div>

where the spanner is moved out of the column context indicating it spans all the columns

DIV RenderBlockFlow
  RenderMultiColumnFlowThread
    RenderMultiColumnSpannerPlaceholder (this is the <div>'s original insertion point)
    DIV RenderBlockFlow
    DIV RenderBlockFlow
  RenderMultiColumnSet
  DIV RenderBlockFlow (moved out column spanner)
  RenderMultiColumnSet

However since <legend> does not participate in multi-column, it does _not_ get moved under RenderMultiColumnFlowThread when constructing the multi-column context
and ends up being a sibling of the RenderMultiColumnSet.

e.g.

FIELDSET RenderFieldSet
  RenderMultiColumnFlowThread
    RenderBlock
  RenderMultiColumnSet
  LEGEND RenderBlock

and later it gets mistaken for a column spanner and as the result we construct a redundant RenderMultiColumnSet.

This patch handles this case by checking against legend siblings.

* LayoutTests/fast/multicol/crash-when-legend-is-present-expected.txt: Added.
* LayoutTests/fast/multicol/crash-when-legend-is-present.html: Added.
* Source/WebCore/rendering/updating/RenderTreeBuilderMultiColumn.cpp:
(WebCore::RenderTreeBuilder::MultiColumn::processPossibleSpannerDescendant):

Originally-landed-as: 265870.61 at safari-7616-branch (9ff2ba06a74f). rdar://116424838
Canonical link: https://commits.webkit.org/269104@main


Compare: https://github.com/WebKit/WebKit/compare/08d5d17c766f...089727e3a24a

More information about the webkit-changes mailing list