[webkit-changes] [WebKit/WebKit] 4d861f: [CoreIPC] heap-use-after-free in WebCore::MockMedi...
youennf
noreply at github.com
Wed Jan 24 10:37:25 PST 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4d861ff045d4ce0cc26414854fbb422b0299960f
https://github.com/WebKit/WebKit/commit/4d861ff045d4ce0cc26414854fbb422b0299960f
Author: Nicole Rosario <nicole_rosario at apple.com>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/ipc/argumentParser.js
A LayoutTests/ipc/fuzz_tools.js
A LayoutTests/ipc/media-player-invalid-test-expected.txt
A LayoutTests/ipc/media-player-invalid-test.html
M Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.cpp
M Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.h
Log Message:
-----------
[CoreIPC] heap-use-after-free in WebCore::MockMediaSourcePrivate::markEndOfStream
rdar://115982856
Reviewed by Jean-Yves Avenard and Eric Carlson.
Error only hit in internal testing. Object was referenced after deletion. Updated `MockMediaPlayer` to use weak pointer for `m_player` instead of reference and added checks to methods to check that `m_player` exists before trying to read/write
* Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.cpp: added check that `m_player` exists before accessing
* Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.h: changed `m_player` to weak pointer instead of a reference
* Source/WebCore/platform/mock/mediasource/MockSourceBufferPrivate.cpp:
(WebCore::MockSourceBufferPrivate::readyState const):
(WebCore::MockSourceBufferPrivate::setReadyState):
Originally-landed-as: 267815.570 at safari-7617-branch (fc6f62059d44). rdar://121481507
Canonical link: https://commits.webkit.org/273428@main
Commit: 622f92afdb426af016db98987bbe36b87c9098f5
https://github.com/WebKit/WebKit/commit/622f92afdb426af016db98987bbe36b87c9098f5
Author: Nicole Rosario <nicole_rosario at apple.com>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/fast/rendering/render-list-marker-select-expected.txt
A LayoutTests/fast/rendering/render-list-marker-select.html
M Source/WebCore/rendering/updating/RenderTreeBuilderList.cpp
Log Message:
-----------
jsc_fuz/wktr: null ptr deref in WebCore::RenderMenuList::computeIntrinsicLogicalWidths
https://bugs.webkit.org/show_bug.cgi?id=264830
rdar://115721454
Reviewed by Alan Baradlay.
Null pointer dereference error caused by render tree being ordered incorrectly. RenderListMarker
was being placed inside RenderMenuList, where RenderListMarker and RenderMenuList should be on
the same level and in RenderListItem
* LayoutTests/fast/rendering/render-list-marker-select-expected.txt:
* LayoutTests/fast/rendering/render-list-marker-select.html:
* Source/WebCore/rendering/updating/RenderTreeBuilderList.cpp:
(WebCore::getParentOfFirstLineBox): added check to ensure RenderListMarker isn't placed inside
RenderMenuList but can be placed at same level (ie, sibling)
Originally-landed-as: 267815.595 at safari-7617-branch (2a1f2e7acfe2). rdar://121481232
Canonical link: https://commits.webkit.org/273429@main
Commit: 15774fae27ec36386eddb171418ddcfe1c488c08
https://github.com/WebKit/WebKit/commit/15774fae27ec36386eddb171418ddcfe1c488c08
Author: David Kilzer <ddkilzer at apple.com>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc
A Source/ThirdParty/libwebrtc/WebKit/01-WebRTC-Stack-buffer-overflow-in-webrtc-anonymous_namespace-SsDataLength.patch
Log Message:
-----------
[WebRTC] Stack-buffer-overflow in webrtc::anonymous_namespace::SsDataLength() in vp9 packetizer
https://bugs.webkit.org/show_bug.cgi?id=265727
<rdar://119074872>
Reviewed by Youenn Fablet.
* Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc:
(webrtc::anonymous_namespace::SsDataLength):
- Change debug assertion into runtime check.
* Source/ThirdParty/libwebrtc/WebKit/01-WebRTC-Stack-buffer-overflow-in-webrtc-anonymous_namespace-SsDataLength.patch: Add.
Originally-landed-as: 267815.606 at safari-7617-branch (f2ba7a5d0dd0). rdar://121481147
Canonical link: https://commits.webkit.org/273430@main
Commit: bb644de42b02991f8e878e917b2df008a9a17a3e
https://github.com/WebKit/WebKit/commit/bb644de42b02991f8e878e917b2df008a9a17a3e
Author: David Kilzer <ddkilzer at apple.com>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc
A Source/ThirdParty/libwebrtc/WebKit/0001-WebRTC-Out-of-bounds-crash-in-webrtc-anonymous_namespace-RemoveInactiveSpatialLayers.patch
Log Message:
-----------
[WebRTC] Out-of-bounds crash in webrtc::anonymous_namespace::RemoveInactiveSpatialLayers() in vp9 packetizer
https://bugs.webkit.org/show_bug.cgi?id=265776
<rdar://119112931>
Reviewed by Youenn Fablet.
* Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc:
(webrtc::anonymous_namespace::RemoveInactiveSpatialLayers):
- Add sanity check for RTPVideoHeaderVP9::num_spatial_layers. This
matches the check in SsDataLength(), but that's called later when
initializing fields in RtpPacketizerVp9.
* Source/ThirdParty/libwebrtc/WebKit/0001-WebRTC-Out-of-bounds-crash-in-webrtc-anonymous_namespace-RemoveInactiveSpatialLayers.patch: Add.
Originally-landed-as: 267815.607 at safari-7617-branch (7fa29f992225). rdar://121481068
Canonical link: https://commits.webkit.org/273431@main
Commit: 1e8c797c8799581ef47ad5a25f917064b1f40823
https://github.com/WebKit/WebKit/commit/1e8c797c8799581ef47ad5a25f917064b1f40823
Author: Nisha Jain <nisha_jain at apple.com>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
A LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt
A LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html
M Source/WebCore/platform/graphics/ShadowBlur.cpp
Log Message:
-----------
heap-buffer-overflow: crash under WebCore::ShadowBlur::blurLayerImage().
https://bugs.webkit.org/show_bug.cgi?id=264978
rdar://118004762.
Reviewed by Simon Fraser.
For very large box-shadow sizes due to floating point precision error,
ImageBuffer::getPixelBuffer returns 'PixelBuffer' size which
is not same as passed size.This causes buffer overflow/underflow
issue for these large sizes. In order to fix it now we use same
size as allocated 'PixelBuffer' size even though it could be slightly
different than original size.
* LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt: Added test expected file.
* LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html: Added test case.
* Source/WebCore/platform/graphics/ShadowBlur.cpp:
(WebCore::ShadowBlur::blurShadowBuffer): Using same size as allocated pixel buffer size.
Originally-landed-as: 267815.608 at safari-7617-branch (e09e3cd2f3db). rdar://121481090
Canonical link: https://commits.webkit.org/273432@main
Commit: 0abac9dcb7e3639246a7c64b4b54a7b855ab5d26
https://github.com/WebKit/WebKit/commit/0abac9dcb7e3639246a7c64b4b54a7b855ab5d26
Author: Youenn Fablet <youennf at gmail.com>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp
M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h
Log Message:
-----------
[macOS] WebContent crash in WTF::deallocateSendRightSafely under ~SharedVideoFrameWriter() (GUARD_TYPE_MACH_PORT :: INVALID_NAME)
rdar://114943202
Reviewed by Chris Dumez.
After https://bugs.webkit.org/show_bug.cgi?id=258379, we were creating the writer lazily but the creation can be triggered from multiple threads at once.
Given SharedVideoFrameWriter is expected to be used on a single thread/queue, we now protect it in RemoteDisplayListRecorderProxy with a lock.
* Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp:
(WebKit::RemoteDisplayListRecorderProxy::recordPaintVideoFrame):
(WebKit::RemoteDisplayListRecorderProxy::disconnect):
(WebKit::RemoteDisplayListRecorderProxy::ensureSharedVideoFrameWriter): Deleted.
* Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h:
Originally-landed-as: 267815.610 at safari-7617-branch (8d4c34c20726). rdar://121480967
Canonical link: https://commits.webkit.org/273433@main
Compare: https://github.com/WebKit/WebKit/compare/f3f8098013c2...0abac9dcb7e3
More information about the webkit-changes
mailing list