Skip to site navigation (Press enter)

[webkit-changes] [261698] trunk/Source/WebKit

beidson Thu, 14 May 2020 11:03:25 -0700

Title: [261698] trunk/Source/WebKit

Revision: 261698
Author: [email protected]
Date: 2020-05-14 11:02:13 -0700 (Thu, 14 May 2020)

Log Message

Crash in PDFPlugin::ensureDataBufferLength
<rdar://problem/62932155> and https://bugs.webkit.org/show_bug.cgi?id=211818


Reviewed by Tim Horton.

There's some currently unreproducible case(s) where a range request finishes
while there's no m_data to append it to.

It's fair hardening to handle that case.

* WebProcess/Plugins/PDF/PDFPlugin.mm:
(WebKit::PDFPlugin::getResourceBytesAtPositionMainThread): Handle null m_data.
(WebKit::PDFPlugin::ensureDataBufferLength): Ditto.

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm

Diff

Modified: trunk/Source/WebKit/ChangeLog (261697 => 261698)


--- trunk/Source/WebKit/ChangeLog	2020-05-14 17:54:45 UTC (rev 261697)
+++ trunk/Source/WebKit/ChangeLog	2020-05-14 18:02:13 UTC (rev 261698)
@@ -1,3 +1,19 @@
+2020-05-14  Brady Eidson  <[email protected]>
+
+        Crash in PDFPlugin::ensureDataBufferLength
+        <rdar://problem/62932155> and https://bugs.webkit.org/show_bug.cgi?id=211818
+
+        Reviewed by Tim Horton.
+
+        There's some currently unreproducible case(s) where a range request finishes
+        while there's no m_data to append it to.
+        
+        It's fair hardening to handle that case.
+
+        * WebProcess/Plugins/PDF/PDFPlugin.mm:
+        (WebKit::PDFPlugin::getResourceBytesAtPositionMainThread): Handle null m_data.
+        (WebKit::PDFPlugin::ensureDataBufferLength): Ditto.
+
 2020-05-14  Per Arne Vollan  <[email protected]>
 
         [iOS] Update message filtering rules in the WebContent process' sandbox

Modified: trunk/Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm (261697 => 261698)


--- trunk/Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm	2020-05-14 17:54:45 UTC (rev 261697)
+++ trunk/Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm	2020-05-14 18:02:13 UTC (rev 261698)
@@ -912,7 +912,7 @@
     ASSERT(m_documentFinishedLoading);
     ASSERT(position >= 0);
 
-    auto cfLength = CFDataGetLength(m_data.get());
+    auto cfLength = m_data ? CFDataGetLength(m_data.get()) : 0;
     ASSERT(cfLength >= 0);
 
     if ((unsigned)position + count > (unsigned)cfLength) {
@@ -1623,7 +1623,10 @@
 
 void PDFPlugin::ensureDataBufferLength(uint64_t targetLength)
 {
-    ASSERT(m_data);
+    if (!m_data) {
+        m_data = adoptCF(CFDataCreateMutable(0, targetLength));
+        return;
+    }
 
     auto currentLength = CFDataGetLength(m_data.get());
     ASSERT(currentLength >= 0);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes