Title: [262869] branches/safari-610.1.15.51-branch/Source/WebKit
- Revision
- 262869
- Author
- repst...@apple.com
- Date
- 2020-06-10 16:11:31 -0700 (Wed, 10 Jun 2020)
Log Message
Cherry-pick r262864. rdar://problem/64223970
Crash growing a CFData with incremental PDF loading.
<rdar://problem/63670403> and https://bugs.webkit.org/show_bug.cgi?id=213035
Reviewed by Alex Christensen.
No test - No reliable way to trigger.
* WebProcess/Plugins/PDF/PDFPlugin.mm:
(WebKit::PDFPlugin::ensureDataBufferLength): When you call CFDataCreateMutable with a size other than 0,
your data object can never grow beyond that size.
And, in fact, CFData will crash on purpose when this is attempted.
So always create our mutable CFDatas with size 0 even if we immediately plan to grow them.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@262864 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-610.1.15.51-branch/Source/WebKit/ChangeLog (262868 => 262869)
--- branches/safari-610.1.15.51-branch/Source/WebKit/ChangeLog 2020-06-10 23:05:11 UTC (rev 262868)
+++ branches/safari-610.1.15.51-branch/Source/WebKit/ChangeLog 2020-06-10 23:11:31 UTC (rev 262869)
@@ -1,3 +1,38 @@
+2020-06-10 Russell Epstein <repst...@apple.com>
+
+ Cherry-pick r262864. rdar://problem/64223970
+
+ Crash growing a CFData with incremental PDF loading.
+ <rdar://problem/63670403> and https://bugs.webkit.org/show_bug.cgi?id=213035
+
+ Reviewed by Alex Christensen.
+
+ No test - No reliable way to trigger.
+
+ * WebProcess/Plugins/PDF/PDFPlugin.mm:
+ (WebKit::PDFPlugin::ensureDataBufferLength): When you call CFDataCreateMutable with a size other than 0,
+ your data object can never grow beyond that size.
+ And, in fact, CFData will crash on purpose when this is attempted.
+ So always create our mutable CFDatas with size 0 even if we immediately plan to grow them.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@262864 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-06-10 Brady Eidson <beid...@apple.com>
+
+ Crash growing a CFData with incremental PDF loading.
+ <rdar://problem/63670403> and https://bugs.webkit.org/show_bug.cgi?id=213035
+
+ Reviewed by Alex Christensen.
+
+ No test - No reliable way to trigger.
+
+ * WebProcess/Plugins/PDF/PDFPlugin.mm:
+ (WebKit::PDFPlugin::ensureDataBufferLength): When you call CFDataCreateMutable with a size other than 0,
+ your data object can never grow beyond that size.
+ And, in fact, CFData will crash on purpose when this is attempted.
+ So always create our mutable CFDatas with size 0 even if we immediately plan to grow them.
+
2020-06-05 Alan Coon <alanc...@apple.com>
Cherry-pick r262586. rdar://problem/64034619
Modified: branches/safari-610.1.15.51-branch/Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm (262868 => 262869)
--- branches/safari-610.1.15.51-branch/Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm 2020-06-10 23:05:11 UTC (rev 262868)
+++ branches/safari-610.1.15.51-branch/Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm 2020-06-10 23:11:31 UTC (rev 262869)
@@ -1623,10 +1623,8 @@
void PDFPlugin::ensureDataBufferLength(uint64_t targetLength)
{
- if (!m_data) {
- m_data = adoptCF(CFDataCreateMutable(0, targetLength));
- return;
- }
+ if (!m_data)
+ m_data = adoptCF(CFDataCreateMutable(0, 0));
auto currentLength = CFDataGetLength(m_data.get());
ASSERT(currentLength >= 0);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
