[webkit-changes] [221779] trunk/Source/WebKit

[carlosgc]

Title: [221779] trunk/Source/WebKit

Revision

221779

Author

carlo...@webkit.org

Date

2017-09-07 23:31:22 -0700 (Thu, 07 Sep 2017)

Log Message

[GTK][WPE] UI process crash in WebBackForwardList::restoreFromState
https://bugs.webkit.org/show_bug.cgi?id=176303

Reviewed by Michael Catanzaro.

Ensure the current index provided by the session state is not out of actual item list bounds. This is a bug in
the session state decoder, but WebBackForwardList::backForwardListState() is already doing the check and using
the last item index instead, so it's not easy to know where the actual problem is. In any case we should
still protect the decoder.

* UIProcess/API/glib/WebKitWebViewSessionState.cpp:
(decodeSessionState):

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/UIProcess/API/glib/WebKitWebViewSessionState.cpp

Diff

Modified: trunk/Source/WebKit/ChangeLog (221778 => 221779)

--- trunk/Source/WebKit/ChangeLog	2017-09-08 06:21:29 UTC (rev 221778)
+++ trunk/Source/WebKit/ChangeLog	2017-09-08 06:31:22 UTC (rev 221779)
@@ -1,3 +1,18 @@
+2017-09-07  Carlos Garcia Campos  <cgar...@igalia.com>
+
+        [GTK][WPE] UI process crash in WebBackForwardList::restoreFromState
+        https://bugs.webkit.org/show_bug.cgi?id=176303
+
+        Reviewed by Michael Catanzaro.
+
+        Ensure the current index provided by the session state is not out of actual item list bounds. This is a bug in
+        the session state decoder, but WebBackForwardList::backForwardListState() is already doing the check and using
+        the last item index instead, so it's not easy to know where the actual problem is. In any case we should
+        still protect the decoder.
+
+        * UIProcess/API/glib/WebKitWebViewSessionState.cpp:
+        (decodeSessionState):
+
 2017-09-07  Andy Estes  <aes...@apple.com>
 
         [Mac] Upstream QTKit-related WebKitSystemInterface functions

Modified: trunk/Source/WebKit/UIProcess/API/glib/WebKitWebViewSessionState.cpp (221778 => 221779)

--- trunk/Source/WebKit/UIProcess/API/glib/WebKitWebViewSessionState.cpp	2017-09-08 06:21:29 UTC (rev 221778)
+++ trunk/Source/WebKit/UIProcess/API/glib/WebKitWebViewSessionState.cpp	2017-09-08 06:31:22 UTC (rev 221779)
@@ -369,7 +369,7 @@
     decodeBackForwardListItemState(backForwardListStateIter.get(), sessionState.backForwardListState);
 
     if (hasCurrentIndex)
-        sessionState.backForwardListState.currentIndex = currentIndex;
+        sessionState.backForwardListState.currentIndex = std::min<uint32_t>(currentIndex, sessionState.backForwardListState.items.size() - 1);
     return true;
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes