[webkit-changes] [WebKit/WebKit] 4d861f: [CoreIPC] heap-use-after-free in WebCore::MockMedi...

youennf noreply at github.com
Wed Jan 24 10:37:25 PST 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 4d861ff045d4ce0cc26414854fbb422b0299960f
      https://github.com/WebKit/WebKit/commit/4d861ff045d4ce0cc26414854fbb422b0299960f
  Author: Nicole Rosario <nicole_rosario at apple.com>
  Date:   2024-01-24 (Wed, 24 Jan 2024)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/ipc/argumentParser.js
    A LayoutTests/ipc/fuzz_tools.js
    A LayoutTests/ipc/media-player-invalid-test-expected.txt
    A LayoutTests/ipc/media-player-invalid-test.html
    M Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.cpp
    M Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.h

  Log Message:
  -----------
  [CoreIPC] heap-use-after-free in WebCore::MockMediaSourcePrivate::markEndOfStream
rdar://115982856

Reviewed by Jean-Yves Avenard and Eric Carlson.

Error only hit in internal testing. Object was referenced after deletion. Updated `MockMediaPlayer` to use weak pointer for `m_player` instead of reference and added checks to methods to check that `m_player` exists before trying to read/write

* Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.cpp: added check that `m_player` exists before accessing
* Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.h: changed `m_player` to weak pointer instead of a reference
* Source/WebCore/platform/mock/mediasource/MockSourceBufferPrivate.cpp:
(WebCore::MockSourceBufferPrivate::readyState const):
(WebCore::MockSourceBufferPrivate::setReadyState):

Originally-landed-as: 267815.570 at safari-7617-branch (fc6f62059d44). rdar://121481507
Canonical link: https://commits.webkit.org/273428@main


  Commit: 622f92afdb426af016db98987bbe36b87c9098f5
      https://github.com/WebKit/WebKit/commit/622f92afdb426af016db98987bbe36b87c9098f5
  Author: Nicole Rosario <nicole_rosario at apple.com>
  Date:   2024-01-24 (Wed, 24 Jan 2024)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/fast/rendering/render-list-marker-select-expected.txt
    A LayoutTests/fast/rendering/render-list-marker-select.html
    M Source/WebCore/rendering/updating/RenderTreeBuilderList.cpp

  Log Message:
  -----------
  jsc_fuz/wktr: null ptr deref in WebCore::RenderMenuList::computeIntrinsicLogicalWidths
https://bugs.webkit.org/show_bug.cgi?id=264830
rdar://115721454

Reviewed by Alan Baradlay.

Null pointer dereference error caused by render tree being ordered incorrectly. RenderListMarker
was being placed inside RenderMenuList, where RenderListMarker and RenderMenuList should be on
the same level and in RenderListItem

* LayoutTests/fast/rendering/render-list-marker-select-expected.txt:
* LayoutTests/fast/rendering/render-list-marker-select.html:
* Source/WebCore/rendering/updating/RenderTreeBuilderList.cpp:
(WebCore::getParentOfFirstLineBox): added check to ensure RenderListMarker isn't placed inside
RenderMenuList but can be placed at same level (ie, sibling)

Originally-landed-as: 267815.595 at safari-7617-branch (2a1f2e7acfe2). rdar://121481232
Canonical link: https://commits.webkit.org/273429@main


  Commit: 15774fae27ec36386eddb171418ddcfe1c488c08
      https://github.com/WebKit/WebKit/commit/15774fae27ec36386eddb171418ddcfe1c488c08
  Author: David Kilzer <ddkilzer at apple.com>
  Date:   2024-01-24 (Wed, 24 Jan 2024)

  Changed paths:
    M Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc
    A Source/ThirdParty/libwebrtc/WebKit/01-WebRTC-Stack-buffer-overflow-in-webrtc-anonymous_namespace-SsDataLength.patch

  Log Message:
  -----------
  [WebRTC] Stack-buffer-overflow in webrtc::anonymous_namespace::SsDataLength() in vp9 packetizer
https://bugs.webkit.org/show_bug.cgi?id=265727
<rdar://119074872>

Reviewed by Youenn Fablet.

* Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc:
(webrtc::anonymous_namespace::SsDataLength):
- Change debug assertion into runtime check.

* Source/ThirdParty/libwebrtc/WebKit/01-WebRTC-Stack-buffer-overflow-in-webrtc-anonymous_namespace-SsDataLength.patch: Add.

Originally-landed-as: 267815.606 at safari-7617-branch (f2ba7a5d0dd0). rdar://121481147
Canonical link: https://commits.webkit.org/273430@main


  Commit: bb644de42b02991f8e878e917b2df008a9a17a3e
      https://github.com/WebKit/WebKit/commit/bb644de42b02991f8e878e917b2df008a9a17a3e
  Author: David Kilzer <ddkilzer at apple.com>
  Date:   2024-01-24 (Wed, 24 Jan 2024)

  Changed paths:
    M Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc
    A Source/ThirdParty/libwebrtc/WebKit/0001-WebRTC-Out-of-bounds-crash-in-webrtc-anonymous_namespace-RemoveInactiveSpatialLayers.patch

  Log Message:
  -----------
  [WebRTC] Out-of-bounds crash in webrtc::anonymous_namespace::RemoveInactiveSpatialLayers() in vp9 packetizer
https://bugs.webkit.org/show_bug.cgi?id=265776
<rdar://119112931>

Reviewed by Youenn Fablet.

* Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc:
(webrtc::anonymous_namespace::RemoveInactiveSpatialLayers):
- Add sanity check for RTPVideoHeaderVP9::num_spatial_layers.  This
  matches the check in SsDataLength(), but that's called later when
  initializing fields in RtpPacketizerVp9.

* Source/ThirdParty/libwebrtc/WebKit/0001-WebRTC-Out-of-bounds-crash-in-webrtc-anonymous_namespace-RemoveInactiveSpatialLayers.patch: Add.

Originally-landed-as: 267815.607 at safari-7617-branch (7fa29f992225). rdar://121481068
Canonical link: https://commits.webkit.org/273431@main


  Commit: 1e8c797c8799581ef47ad5a25f917064b1f40823
      https://github.com/WebKit/WebKit/commit/1e8c797c8799581ef47ad5a25f917064b1f40823
  Author: Nisha Jain <nisha_jain at apple.com>
  Date:   2024-01-24 (Wed, 24 Jan 2024)

  Changed paths:
    A LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt
    A LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html
    M Source/WebCore/platform/graphics/ShadowBlur.cpp

  Log Message:
  -----------
  heap-buffer-overflow: crash under WebCore::ShadowBlur::blurLayerImage().
https://bugs.webkit.org/show_bug.cgi?id=264978
rdar://118004762.

Reviewed by Simon Fraser.

For very large box-shadow sizes due to floating point precision error,
ImageBuffer::getPixelBuffer returns 'PixelBuffer' size which
is not same as passed size.This causes buffer overflow/underflow
issue for these large sizes. In order to fix it now we use same
size as allocated 'PixelBuffer' size even though it could be slightly
different than original size.

* LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt: Added test expected file.
* LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html: Added test case.
* Source/WebCore/platform/graphics/ShadowBlur.cpp:
(WebCore::ShadowBlur::blurShadowBuffer): Using same size as allocated pixel buffer size.

Originally-landed-as: 267815.608 at safari-7617-branch (e09e3cd2f3db). rdar://121481090
Canonical link: https://commits.webkit.org/273432@main


  Commit: 0abac9dcb7e3639246a7c64b4b54a7b855ab5d26
      https://github.com/WebKit/WebKit/commit/0abac9dcb7e3639246a7c64b4b54a7b855ab5d26
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2024-01-24 (Wed, 24 Jan 2024)

  Changed paths:
    M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp
    M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h

  Log Message:
  -----------
  [macOS] WebContent crash in WTF::deallocateSendRightSafely under ~SharedVideoFrameWriter() (GUARD_TYPE_MACH_PORT :: INVALID_NAME)
rdar://114943202

Reviewed by Chris Dumez.

After https://bugs.webkit.org/show_bug.cgi?id=258379, we were creating the writer lazily but the creation can be triggered from multiple threads at once.
Given SharedVideoFrameWriter is expected to be used on a single thread/queue, we now protect it in RemoteDisplayListRecorderProxy with a lock.

* Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp:
(WebKit::RemoteDisplayListRecorderProxy::recordPaintVideoFrame):
(WebKit::RemoteDisplayListRecorderProxy::disconnect):
(WebKit::RemoteDisplayListRecorderProxy::ensureSharedVideoFrameWriter): Deleted.
* Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h:

Originally-landed-as: 267815.610 at safari-7617-branch (8d4c34c20726). rdar://121480967
Canonical link: https://commits.webkit.org/273433@main


Compare: https://github.com/WebKit/WebKit/compare/f3f8098013c2...0abac9dcb7e3

More information about the webkit-changes mailing list