[webkit-changes] [WebKit/WebKit] 1e99eb: [LibAVIF Downstream] Potential 'over-read' issue c...

Chris Dumez noreply at github.com
Mon Aug 5 10:37:50 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1e99eb3b139ea79efd03877bd2053df972dad45f
      https://github.com/WebKit/WebKit/commit/1e99eb3b139ea79efd03877bd2053df972dad45f
  Author: Said Abou-Hallawa <said at apple.com>
  Date:   2024-08-05 (Mon, 05 Aug 2024)

  Changed paths:
    M Source/WebCore/PAL/ThirdParty/libavif/src/obu.c

  Log Message:
  -----------
  [LibAVIF Downstream] Potential 'over-read' issue committed to upstream libavif
https://bugs.webkit.org/show_bug.cgi?id=273636
rdar://127409431

Reviewed by Tim Horton.

When trying to parse a sequence header, parse only obu_size bytes.

The current code ignores obu_size and parses as long as it sees
data and could end up over-reading into other obus.

Commit URL: https://github.com/AOMediaCodec/libavif/commit/4c7f0f40c3c3c1c362cef47379220041d61fd2af

* Source/WebCore/PAL/ThirdParty/libavif/src/obu.c:
(avifSequenceHeaderParse):

Originally-landed-as: 272448.981 at safari-7618-branch (4f3b41b6047a). rdar://132955262
Canonical link: https://commits.webkit.org/281838@main


  Commit: 4dfdeb7f6ab6f19c3af8d9b1276d65a89d3f3cec
      https://github.com/WebKit/WebKit/commit/4dfdeb7f6ab6f19c3af8d9b1276d65a89d3f3cec
  Author: Erica Li <lerica at apple.com>
  Date:   2024-08-05 (Mon, 05 Aug 2024)

  Changed paths:
    A LayoutTests/editing/undo/redo-reapply-edit-command-crash-expected.txt
    A LayoutTests/editing/undo/redo-reapply-edit-command-crash.html
    M Source/WebCore/editing/CompositeEditCommand.cpp
    M Source/WebCore/editing/Editor.cpp

  Log Message:
  -----------
  heap-use-after-free | WebCore::EditCommandComposition::reapply
rdar://126683181
https://bugs.webkit.org/show_bug.cgi?id=273237

Reviewed by Ryosuke Niwa.

Close TypingCommand when about to undo any command to avoid mutate
m_commands of TypingCommand (during undo & redo).
Make iteration for m_commands safe in EditCommandComposition::reapply
when more commands appended and its capacity needs to expand.

* LayoutTests/editing/undo/redo-reapply-edit-command-crash-expected.txt: Added.
* LayoutTests/editing/undo/redo-reapply-edit-command-crash.html: Added.
* Source/WebCore/editing/CompositeEditCommand.cpp:
(WebCore::EditCommandComposition::reapply):
(WebCore::EditCommandComposition::getNodesInCommand):
* Source/WebCore/editing/Editor.cpp:
(WebCore::Editor::willUnapplyEditing const):

Originally-landed-as: 272448.968 at safari-7618-branch (39a32d378220). rdar://132955348
Canonical link: https://commits.webkit.org/281839@main


  Commit: 42190b9e1320b2ef71e165fefaf8263d5924281d
      https://github.com/WebKit/WebKit/commit/42190b9e1320b2ef71e165fefaf8263d5924281d
  Author: Jean-Yves Avenard <jya at apple.com>
  Date:   2024-08-05 (Mon, 05 Aug 2024)

  Changed paths:
    A LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt
    A LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html
    M Source/WebCore/platform/audio/MultiChannelResampler.cpp
    M Source/WebCore/platform/audio/MultiChannelResampler.h

  Log Message:
  -----------
  Always copy all audio channels to the AudioBus to guarantee data lifetime.
https://bugs.webkit.org/show_bug.cgi?id=273176
rdar://125166710

Reviewed by Chris Dumez.

Following 275262 at main, a task is dispatched on the audio render thread.
This task dispatch takes a reference to the source and destination AudioBus
however when a MultiChannelResampler is in use, the source AudioBus may
contain a raw pointer to the resampled's AudioArray and the lifetime of
this object may be shorter than the AudioBus.

In 232182 at main, a speed and memory optimisation was added by passed-in buffer
as memory for the first channel in the AudioBus.
We revert this change for now and copy all channels' data to the AudioBus.

Added test.

* LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt: Added.
* LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html: Added.
* Source/WebCore/platform/audio/MultiChannelResampler.cpp:
(WebCore::MultiChannelResampler::MultiChannelResampler):
(WebCore::MultiChannelResampler::provideInputForChannel):
* Source/WebCore/platform/audio/MultiChannelResampler.h:

Originally-landed-as: 272448.960 at safari-7618-branch (b7ccdb65258e). rdar://132955432
Canonical link: https://commits.webkit.org/281840@main


  Commit: 25eedd143edb3a68d58b8995159bdeb806a9d8b0
      https://github.com/WebKit/WebKit/commit/25eedd143edb3a68d58b8995159bdeb806a9d8b0
  Author: Scott Marcy <mscott at apple.com>
  Date:   2024-08-05 (Mon, 05 Aug 2024)

  Changed paths:
    M Source/ThirdParty/ANGLE/src/compiler/translator/tree_ops/msl/SeparateCompoundExpressions.cpp

  Log Message:
  -----------
  Fix array OOB due to a bug in comma expression processing.
https://bugs.webkit.org/show_bug.cgi?id=xxxxx
rdar://128873925

Reviewed by Dan Glastonbury.

A pre-pass of the ANGLE compiler separates compound expressions into single
expressions with temporary values. (i.e. x=A+B+C can become tmp1 = b+C,
x=A+tmp1;). When creating a temporary variable, we previously would copy
the entire type. However, the type constructor also lead to copying
qualifiers, such as 'uniform' and 'interface block' markers: Qualifiers
that can belong to an original type, but shouldn't ever be applied to
temporary variables. (Fix and explanation by Kyle Piddington.)

* Source/ThirdParty/ANGLE/src/compiler/translator/tree_ops/msl/SeparateCompoundExpressions.cpp:
(sh::Separator::pushBinding):

Originally-landed-as: 5a66ef38bf19. rdar://132955470
Canonical link: https://commits.webkit.org/281841@main


  Commit: a4eefa9bf62946ba7a32da8aedfa0dff2e8ae816
      https://github.com/WebKit/WebKit/commit/a4eefa9bf62946ba7a32da8aedfa0dff2e8ae816
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-08-05 (Mon, 05 Aug 2024)

  Changed paths:
    M Source/WebCore/platform/SharedBuffer.cpp
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/LoadAlternateHTMLString.mm
    M Tools/TestWebKitAPI/cocoa/HTTPServer.h
    M Tools/TestWebKitAPI/cocoa/HTTPServer.mm

  Log Message:
  -----------
  Integer truncation in FragmentedSharedBuffer::tryCreateArrayBuffer can lead to a buffer overflow
https://bugs.webkit.org/show_bug.cgi?id=276381
rdar://131369305

Reviewed by Alex Christensen.

Make sure the size fits in an `unsigned` type before casting it.

Including an API test that Alex Christensen wrote.

* Source/WebCore/platform/SharedBuffer.cpp:
(WebCore::FragmentedSharedBuffer::tryCreateArrayBuffer const):

Originally-landed-as: 0d4ba4017ef3. rdar://132955526
Canonical link: https://commits.webkit.org/281842@main


Compare: https://github.com/WebKit/WebKit/compare/9e8d4d66bfae...a4eefa9bf629

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list