[webkit-changes] [WebKit/WebKit] 940dcc: Limit TextDecoder input to 2GB
Jer Noble
noreply at github.com
Tue Sep 17 04:16:05 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 940dcc945a56e9f15ea23665fe77a72c181f1abc
https://github.com/WebKit/WebKit/commit/940dcc945a56e9f15ea23665fe77a72c181f1abc
Author: Nitin Mahendru <nitinmahendru at apple.com>
Date: 2024-09-17 (Tue, 17 Sep 2024)
Changed paths:
A LayoutTests/security/decode-buffer-size-expected.txt
A LayoutTests/security/decode-buffer-size.html
A LayoutTests/security/text-decode-long-strings-expected.txt
A LayoutTests/security/text-decode-long-strings.html
M Source/WebCore/dom/TextDecoder.cpp
M Source/WebCore/dom/TextDecoder.h
Log Message:
-----------
Limit TextDecoder input to 2GB
rdar://130960796
Reviewed by John Wilander.
Rebasing Alex Christensen's change in
https://github.com/apple/WebKit/pull/1360 on the new security branch.
This basically matches the behavior of other browsers and prevents us from creating a string
longer than String::MaxLength.
* LayoutTests/security/decode-buffer-size-expected.txt: Added.
* LayoutTests/security/decode-buffer-size.html: Added.
* LayoutTests/security/text-decode-long-strings-expected.txt: Added.
* LayoutTests/security/text-decode-long-strings.html: Added.
* Source/WebCore/dom/TextDecoder.cpp:
(WebCore::TextDecoder::decode):
* Source/WebCore/dom/TextDecoder.h:
Co-authored-by: Alex Christensen <achristensen at apple.com>
Originally-landed-as: 280938.4 at safari-7619-branch (96ca9f96746c). rdar://136112461
Canonical link: https://commits.webkit.org/283763@main
Commit: 73a87ea505fa3554ebedc55b34ef74871323d5ab
https://github.com/WebKit/WebKit/commit/73a87ea505fa3554ebedc55b34ef74871323d5ab
Author: Abrar Rahman Protyasha <a_protyasha at apple.com>
Date: 2024-09-17 (Tue, 17 Sep 2024)
Changed paths:
A LayoutTests/fast/forms/datalist/suggestions-list-outside-of-visual-viewport-expected.txt
A LayoutTests/fast/forms/datalist/suggestions-list-outside-of-visual-viewport.html
M Source/WebKit/WebProcess/WebCoreSupport/WebDataListSuggestionPicker.cpp
Log Message:
-----------
Websites can spoof the contents of the address bar using <datalist>
rdar://115912814
Reviewed by Wenson Hsieh.
<input> elements positioned outside of the visual viewport are never
visible, since they are rendered in the page. On the contrary, it is
possible for a <datalist> suggestions list to seemingly hover freely in
space while its associated <input> is not visible in the page content.
This is because our datalist presentation logic anchors said lists (in
their own NSWindow) to the inputs.
This style of presentation makes us susceptible to free-floating
<datalist> elements, which, if positioned with the right margins and
contents, may resemble a UA's address bar!
To fix this vulnerability, we harden our datalist presentation logic by
asking the UI process to _not_ `ShowDataListSuggestions` if the associated
input element is (completely) absent from the visual viewport.
* LayoutTests/fast/forms/datalist/suggestions-list-outside-of-visual-viewport-expected.txt: Added.
* LayoutTests/fast/forms/datalist/suggestions-list-outside-of-visual-viewport.html: Added.
* Source/WebKit/WebProcess/WebCoreSupport/WebDataListSuggestionPicker.cpp:
(WebKit::WebDataListSuggestionPicker::displayWithActivationType):
Originally-landed-as: 280938.5 at safari-7619-branch (46af4f50bd12). rdar://136112387
Canonical link: https://commits.webkit.org/283764@main
Commit: ca74f3149f0f8e5cb4b8b77ffd571e9b0f2384b3
https://github.com/WebKit/WebKit/commit/ca74f3149f0f8e5cb4b8b77ffd571e9b0f2384b3
Author: Jer Noble <jer.noble at apple.com>
Date: 2024-09-17 (Tue, 17 Sep 2024)
Changed paths:
M Source/WebKit/GPUProcess/GPUProcess.cpp
Log Message:
-----------
CRASH in GPUProcess::mediaCacheDirectory()
https://bugs.webkit.org/show_bug.cgi?id=276340
rdar://125544057
Reviewed by Eric Carlson.
Verify that the given sessionID is present in m_sessions before dereferencing.
* Source/WebKit/GPUProcess/GPUProcess.cpp:
(WebKit::GPUProcess::removeSession):
(WebKit::GPUProcess::mediaCacheDirectory const):
(WebKit::GPUProcess::mediaKeysStorageDirectory const):
Originally-landed-as: 280938.6 at safari-7619-branch (6091303acb69). rdar://136112238
Canonical link: https://commits.webkit.org/283765@main
Commit: d1154cafe84288cf4492b7b9faed46208a62cd18
https://github.com/WebKit/WebKit/commit/d1154cafe84288cf4492b7b9faed46208a62cd18
Author: Jer Noble <jer.noble at apple.com>
Date: 2024-09-17 (Tue, 17 Sep 2024)
Changed paths:
M Source/WebCore/Modules/encryptedmedia/MediaKeySession.cpp
Log Message:
-----------
UAF in MediaKeySession::load()
https://bugs.webkit.org/show_bug.cgi?id=276633
rdar://129490880
Reviewed by Andy Estes.
Check nullity of weakThis inside the lamda passed into loadSession() before continuing.
* Source/WebCore/Modules/encryptedmedia/MediaKeySession.cpp:
(WebCore::MediaKeySession::load):
Originally-landed-as: 280938.7 at safari-7619-branch (b89347ebdcc1). rdar://136112074
Canonical link: https://commits.webkit.org/283766@main
Commit: 290b276c74a8e542b178a35d4d99ef28a5a9a809
https://github.com/WebKit/WebKit/commit/290b276c74a8e542b178a35d4d99ef28a5a9a809
Author: Jer Noble <jer.noble at apple.com>
Date: 2024-09-17 (Tue, 17 Sep 2024)
Changed paths:
M Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
Log Message:
-----------
Add check in AudioBufferSourceNode::renderFromBuffer() when pitchRate == -1 && !needsInterpolation
https://bugs.webkit.org/show_bug.cgi?id=276645
rdar://130939143
Reviewed by Andy Estes.
Add a boundary check to renderFromBuffer() to ensure we don't read off the end of the buffer.
* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
(WebCore::AudioBufferSourceNode::renderFromBuffer):
Originally-landed-as: 280938.8 at safari-7619-branch (252fb2fc9cfd). rdar://136112007
Canonical link: https://commits.webkit.org/283767@main
Compare: https://github.com/WebKit/WebKit/compare/1dbf4cd6a307...290b276c74a8
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list