[Webkit-unassigned] [Bug 239719] New: NULL pointer dereference on Touch event when contents are being repeatedly updated

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Apr 25 07:12:13 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=239719

            Bug ID: 239719
           Summary: NULL pointer dereference on Touch event when contents
                    are being repeatedly updated
           Product: WebKit
           Version: Other
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Minor
          Priority: P2
         Component: WebKit2
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: cnconlinux at gmail.com
                CC: kkinnunen at apple.com

When contents are repeatedly being updated using webkit_web_view_load_html() call touch event a NULL pointer dereference sometime occurs. Crash occurs when clicking on invisible window with propagating touch event further using GDK_EVENT_PROPAGATE return value.

Debian package version:
libwebkit2gtk-4.0-37:amd64                      2.34.6-1~deb10u1

Address sanitizer logs:
AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7fa3d60e794d bp 0x621002f062a0 sp 0x7ffdccb1bcf0 T0)
The signal is caused by a READ memory access.
Hint: address points to the zero page.
#0 0x7fa3d60e794c in webkitWebViewBaseTouchEvent ../Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp:1571
#1 0x7fa3cf6df273 in _gtk_marshal_BOOLEAN__BOXEDv ../../../../gtk/gtkmarshalers.c:129
#2 0x7fa3cee3ced5 in _g_closure_invoke_va ../../../gobject/gclosure.c:873
#3 0x7fa3cee58db3 in g_signal_emit_valist ../../../gobject/gsignal.c:3301
#4 0x7fa3cee599be in g_signal_emit ../../../gobject/gsignal.c:3448
#5 0x7fa3cf68d323 in gtk_widget_event_internal ../../../../gtk/gtkwidget.c:7744
#6 0x7fa3cf54d975 in propagate_event_up ../../../../gtk/gtkmain.c:2592
#7 0x7fa3cf54d975 in propagate_event ../../../../gtk/gtkmain.c:2695
#8 0x7fa3cf54fa82 in gtk_main_do_event ../../../../gtk/gtkmain.c:1915
#9 0x7fa3cf54fa82 in gtk_main_do_event ../../../../gtk/gtkmain.c:1685
#10 0x7fa3cf251464 in _gdk_event_emit ../../../../gdk/gdkevents.c:73
#11 0x7fa3cf282111 in gdk_event_source_dispatch ../../../../../gdk/x11/gdkeventsource.c:367
#12 0x7fa3ced58fed in g_main_dispatch ../../../glib/gmain.c:3182
#13 0x7fa3ced58fed in g_main_context_dispatch ../../../glib/gmain.c:3847
#14 0x7fa3ced59287 in g_main_context_iterate ../../../glib/gmain.c:3920
#15 0x7fa3ced5931b in g_main_context_iteration ../../../glib/gmain.c:3981
#16 0x7fa3cef4ea3c in g_application_run ../../../gio/gapplication.c:2470
...
AddressSanitizer can not provide additional info.
AddressSanitizer: SEGV ../Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp:1571 in webkitWebViewBaseTouchEvent


Affected code:
    case GDK_TOUCH_UPDATE: {
        auto it = priv->touchEvents.find(sequence);
        ASSERT(it != priv->touchEvents.end());
        it->value.reset(gdk_event_copy(touchEvent));
        break;
    }

Line WebKitWebViewBase.cpp:1571:
        it->value.reset(gdk_event_copy(touchEvent));

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220425/381761ca/attachment.htm>

More information about the webkit-unassigned mailing list