[webkit-changes] [WebKit/WebKit] b728e5: heap-use-after-free | WebCore::MediaRecorderPrivat...

Jean-Yves Avenard noreply at github.com
Fri Aug 2 21:24:49 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b728e584a883c12a86abe5d6932ad5a3715e4ccf
      https://github.com/WebKit/WebKit/commit/b728e584a883c12a86abe5d6932ad5a3715e4ccf
  Author: Youenn Fablet <youenn at apple.com>
  Date:   2024-08-02 (Fri, 02 Aug 2024)

  Changed paths:
    M Source/WebCore/platform/mediarecorder/cocoa/MediaRecorderPrivateWriterCocoa.mm

  Log Message:
  -----------
  heap-use-after-free | WebCore::MediaRecorderPrivateWriter::flushCompressedSampleBuffers; Detail::CallableWrapper::call; WTF::RunLoop::performWork)
rdar://129292824

Reviewed by Andy Estes.

Adding a weakThis check we missed when adopting ThreadSafefWeakPtr.

* Source/WebCore/platform/mediarecorder/cocoa/MediaRecorderPrivateWriterCocoa.mm:
(WebCore::MediaRecorderPrivateWriter::fetchData):

Originally-landed-as: 272448.1073 at safari-7618-branch (891cf8c9dbac). rdar://132954379
Canonical link: https://commits.webkit.org/281790@main


  Commit: 8da2eab7ffa0f22bb36806f41c043a0af5bc0973
      https://github.com/WebKit/WebKit/commit/8da2eab7ffa0f22bb36806f41c043a0af5bc0973
  Author: Dan Hecht <dan.hecht at apple.com>
  Date:   2024-08-02 (Fri, 02 Aug 2024)

  Changed paths:
    A JSTests/stress/regress-119545295.js
    M Source/JavaScriptCore/runtime/InternalFunction.cpp

  Log Message:
  -----------
  [JSC] JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation may allow creation of an undecided array with a Proxy object in the prototype chain
https://bugs.webkit.org/show_bug.cgi?id=274870
rdar://119545295

Reviewed by Keith Miller.

When constructing an array along this particular path, newTarget.prototype could
have a getter that induces a bad time. We need to check for this case and handle
it explicitly since the array isn't yet fully constructed and thus won't be handled
by the having a bad time machinery.

* JSTests/stress/regress-119545295.js: Added.
(main.const.new_target):
* Source/JavaScriptCore/runtime/InternalFunction.cpp:
(JSC::InternalFunction::createSubclassStructure):

Originally-landed-as: 272448.1052 at safari-7618-branch (d4c5d33ae803). rdar://132954559
Canonical link: https://commits.webkit.org/281791@main


  Commit: 4f4fdbf93a5952a568b92e2b690304aa24825fe2
      https://github.com/WebKit/WebKit/commit/4f4fdbf93a5952a568b92e2b690304aa24825fe2
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2024-08-02 (Fri, 02 Aug 2024)

  Changed paths:
    M Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/WebSocket.mm

  Log Message:
  -----------
  Disallow non-WebSocket use of ws and wss schemes at NetworkDataTaskCocoa level
rdar://81997401

Reviewed by Brady Eidson.

If you type wss://example.com into the URL bar of Safari, it will call WKWebView.loadRequest
with that URL, and we will give it to CFNetwork, and it will successfully load https://example.com
but in Chrome and Firefox it fails to load.  We need it to also fail to load.  It used to
successfully load for legacy reasons related to the time before the existence of the
NSURLSessionWebSocketTask API, but now that NSURLSessionWebSocketTask exists it is no longer needed,
so when configuration._usesNWLoader is YES CFNetwork does this for us.  WebKit's use of NSURLSession
does not need to mix ws/wss and http/https schemes, so we can fail loads before making an
NSURLSessionDataTask and our loading of http/https URLs still works because it uses NSURLSessionDataTask
in the normal way, and our ws/wss URL "loading" still works because we use NSURLSessionWebSocketTask
for those URLs through the JavaScript WebSocket object, the way WebSockets are supposed to be created
from web content.

* Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
(WebKit::NetworkDataTaskCocoa::NetworkDataTaskCocoa):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WebSocket.mm:
(TestWebKitAPI::TEST):

Originally-landed-as: 272448.1042 at safari-7618-branch (0a3f4d58c388). rdar://132954656
Canonical link: https://commits.webkit.org/281792@main


  Commit: ef46d74db28f933175a36860aae0d4433479fe62
      https://github.com/WebKit/WebKit/commit/ef46d74db28f933175a36860aae0d4433479fe62
  Author: Youenn Fablet <youenn at apple.com>
  Date:   2024-08-02 (Fri, 02 Aug 2024)

  Changed paths:
    M LayoutTests/http/wpt/webcodecs/videoFrame-rect-expected.txt
    M LayoutTests/http/wpt/webcodecs/videoFrame-rect.html
    M Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp

  Log Message:
  -----------
  WebCodecs VideoFrame Out-Of-Bounds Read
rdar://127438135

Reviewed by Jean-Yves Avenard.

When passing a NaN, our size error checks would be bypassed as comparing with NaN returns false.
We add finite checks to x, y, width and height and add a corresponding test.

* LayoutTests/http/wpt/webcodecs/videoFrame-rect-expected.txt:
* LayoutTests/http/wpt/webcodecs/videoFrame-rect.html:
* Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp:
(WebCore::parseVisibleRect):

Originally-landed-as: 272448.1035 at safari-7618-branch (9c4e3c807b79). rdar://132954751
Canonical link: https://commits.webkit.org/281793@main


  Commit: b8956add13308d76eff2f87c28f99751af0d26ee
      https://github.com/WebKit/WebKit/commit/b8956add13308d76eff2f87c28f99751af0d26ee
  Author: Jean-Yves Avenard <jya at apple.com>
  Date:   2024-08-02 (Fri, 02 Aug 2024)

  Changed paths:
    M Source/WebCore/PAL/ThirdParty/libavif/ThirdParty/dav1d/src/refmvs.c

  Log Message:
  -----------
  Potential 'overread' issue commited to upstream dav1d https://bugs.webkit.org/show_bug.cgi?id=274070 rdar://125547790

Reviewed by Youenn Fablet.

The refmvs_block struct is only 12 bytes large but it's accessed
using 16-byte unaligned loads in asm.

In order to avoid reading past the end of the allocated buffer
we therefore need to pad the allocation size by 4 bytes.
Fix from upstream 076955a1534bb49325a2252f6a1f494674e5363a

* Source/WebCore/PAL/ThirdParty/libavif/ThirdParty/dav1d/src/refmvs.c:
(dav1d_refmvs_init_frame):

Originally-landed-as: 272448.1027 at safari-7618-branch (17ea9a97d6d4). rdar://132954870
Canonical link: https://commits.webkit.org/281794@main


Compare: https://github.com/WebKit/WebKit/compare/0b2843995193...b8956add1330

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list