[webkit-changes] [WebKit/WebKit] df324c: Remote Activation of Persistent Webcam Access with...

Simon Lewis noreply at github.com
Wed Jan 29 09:36:40 PST 2025 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: df324ce6945b6e5bc43417ee382ff35300ebabbc
      https://github.com/WebKit/WebKit/commit/df324ce6945b6e5bc43417ee382ff35300ebabbc
  Author: Youenn Fablet <youenn at apple.com>
  Date:   2025-01-29 (Wed, 29 Jan 2025)

  Changed paths:
    M Source/WebCore/Modules/mediastream/UserMediaRequest.cpp

  Log Message:
  -----------
  Remote Activation of Persistent Webcam Access without User Consent
rdar://138483518

Reviewed by Eric Carlson.

A getUserMedia call may happen before the document is stopped.
The document may be stopped between a source is created and the source is attached to the document via MediaStreamTrack::create.
In that case, the source in the GPUProcess will be created but will never be removed.
If the source is a clone of an active source in GPUProcess, this will prevent the capture to stop when document is tear down.

To prevent this, if the context is stopped, we end the capture source in UserMediaRequest::allow.

* Source/WebCore/Modules/mediastream/UserMediaRequest.cpp:
(WebCore::UserMediaRequest::allow):

Originally-landed-as: 283286.445 at safari-7620-branch (bd990e20e91e). rdar://143595500
Canonical link: https://commits.webkit.org/289505@main


  Commit: fe980dac0c6c09fcfccc8e118c84ac22920be6dd
      https://github.com/WebKit/WebKit/commit/fe980dac0c6c09fcfccc8e118c84ac22920be6dd
  Author: Youenn Fablet <youenn at apple.com>
  Date:   2025-01-29 (Wed, 29 Jan 2025)

  Changed paths:
    A LayoutTests/http/wpt/mediastream/getUserMedia-rvfc-remove-expected.txt
    A LayoutTests/http/wpt/mediastream/getUserMedia-rvfc-remove.html
    A LayoutTests/http/wpt/mediastream/resources/getUserMedia-rvfc-remove-iframe.html
    M Source/WebCore/html/HTMLVideoElement.cpp
    M Source/WebCore/html/HTMLVideoElement.h

  Log Message:
  -----------
  J475d/24C76: Potential UAF in HTMLVideoElement::serviceRequestVideoFrameCallbacks
rdar://140271547

Reviewed by Eric Carlson.

When servicing rvfc requests, we can navigate the document which will stop the HTMLVideoElement.
This will clear the m_servicedVideoFrameRequests, which will delete the requests.

To prevent this issue, we clear the call of VideoFrameRequest but do not clear m_servicedVideoFrameRequests.
We remove VideoFrameRequest::cancelled as we now store a RefPtr callback.

* LayoutTests/http/wpt/mediastream/getUserMedia-rvfc-remove-expected.txt: Added.
* LayoutTests/http/wpt/mediastream/getUserMedia-rvfc-remove.html: Added.
* LayoutTests/http/wpt/mediastream/resources/getUserMedia-rvfc-remove-iframe.html: Added.
* Source/WebCore/html/HTMLVideoElement.cpp:
(WebCore::HTMLVideoElement::cancelVideoFrameCallback):
(WebCore::HTMLVideoElement::stop):
(WebCore::HTMLVideoElement::serviceRequestVideoFrameCallbacks):
* Source/WebCore/html/HTMLVideoElement.h:

Originally-landed-as: 283286.513 at safari-7620-branch (5e06ca5a17cd). rdar://143595105
Canonical link: https://commits.webkit.org/289506@main


  Commit: 6ddc52d0cf22036b8e5637cab2692fe8dab183f1
      https://github.com/WebKit/WebKit/commit/6ddc52d0cf22036b8e5637cab2692fe8dab183f1
  Author: Daniel Liu <daniel_liu4 at apple.com>
  Date:   2025-01-29 (Wed, 29 Jan 2025)

  Changed paths:
    A JSTests/stress/resize-array-buffer-constantly.js
    M Source/JavaScriptCore/assembler/AbstractMacroAssembler.h
    M Source/JavaScriptCore/dfg/DFGSlowPathGenerator.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

  Log Message:
  -----------
  Improve DFG_REGISTER_ALLOCATION_VALIDATION robustness
https://bugs.webkit.org/show_bug.cgi?id=283142
rdar://139826086

Reviewed by Yusuke Suzuki.

DFG_REGISTER_ALLOCATION_VALIDATION currently checks for branches, but does not
consider slow paths. This leads to an oversight during validation that could
allow bugs to slip in.

* JSTests/stress/resize-array-buffer-constantly.js: Added.
(main):
* Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::RegisterAllocationOffset::checkOffset):
(JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstSlowPathCall):
* Source/JavaScriptCore/dfg/DFGSlowPathGenerator.h:
(JSC::DFG::slowPathCall):

Originally-landed-as: 283286.519 at safari-7620-branch (21e99e5afce3). rdar://143594883
Canonical link: https://commits.webkit.org/289507@main


  Commit: 2c62bfaac3cff4e09f5bc024323d1a11d5049b63
      https://github.com/WebKit/WebKit/commit/2c62bfaac3cff4e09f5bc024323d1a11d5049b63
  Author: Youenn Fablet <youenn at apple.com>
  Date:   2025-01-29 (Wed, 29 Jan 2025)

  Changed paths:
    M Source/WebCore/platform/libwebrtc/LibWebRTCVPXVideoDecoder.cpp
    M Source/WebCore/platform/libwebrtc/LibWebRTCVPXVideoEncoder.cpp

  Log Message:
  -----------
  Access to vpxDecoderQueueSingleton() is not-threadsafe
rdar://140577403

Reviewed by Jean-Yves Avenard.

Make use of std::call-once to initialize the queue only once.

* Source/WebCore/platform/libwebrtc/LibWebRTCVPXVideoDecoder.cpp:
(WebCore::vpxDecoderQueue):
* Source/WebCore/platform/libwebrtc/LibWebRTCVPXVideoEncoder.cpp:
(WebCore::vpxEncoderQueue):

Originally-landed-as: 283286.533 at safari-7620-branch (e975090744cf). rdar://143594246
Canonical link: https://commits.webkit.org/289508@main


  Commit: 3a3c6732ffd4ee62b5c24e10e683068549ac1f3a
      https://github.com/WebKit/WebKit/commit/3a3c6732ffd4ee62b5c24e10e683068549ac1f3a
  Author: Simon Lewis <simon.lewis at apple.com>
  Date:   2025-01-29 (Wed, 29 Jan 2025)

  Changed paths:
    M Source/WebKit/Shared/Cocoa/CoreIPCPlistArray.mm
    M Tools/TestWebKitAPI/Tests/IPC/IPCSerialization.mm

  Log Message:
  -----------
  CoreIPCPlistArray::toID() incorrect lifetime management with createNSArray
rdar://140507449
https://bugs.webkit.org/show_bug.cgi?id=283915

Reviewed by Sihui Liu.

* Source/WebKit/Shared/Cocoa/CoreIPCPlistArray.mm:
(WebKit::CoreIPCPlistArray::toID const):
* Tools/TestWebKitAPI/Tests/IPC/IPCSerialization.mm:
(TEST(IPCSerialization, Plist)):

Originally-landed-as: 283286.551 at safari-7620-branch (09169e87e443). rdar://143593960
Canonical link: https://commits.webkit.org/289509@main


Compare: https://github.com/WebKit/WebKit/compare/85f2ebef3426...3a3c6732ffd4

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list