Skip to site navigation (Press enter)

[webkit-changes] [262864] trunk/Source/WebKit

beidson Wed, 10 Jun 2020 15:24:19 -0700

Title: [262864] trunk/Source/WebKit

Revision: 262864
Author: [email protected]
Date: 2020-06-10 15:23:35 -0700 (Wed, 10 Jun 2020)

Log Message

Crash growing a CFData with incremental PDF loading.
<rdar://problem/63670403> and https://bugs.webkit.org/show_bug.cgi?id=213035


Reviewed by Alex Christensen.

No test - No reliable way to trigger.

* WebProcess/Plugins/PDF/PDFPlugin.mm:
(WebKit::PDFPlugin::ensureDataBufferLength): When you call CFDataCreateMutable with a size other than 0,
  your data object can never grow beyond that size.
  And, in fact, CFData will crash on purpose when this is attempted.
  So always create our mutable CFDatas with size 0 even if we immediately plan to grow them.

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm

Diff

Modified: trunk/Source/WebKit/ChangeLog (262863 => 262864)


--- trunk/Source/WebKit/ChangeLog	2020-06-10 22:03:12 UTC (rev 262863)
+++ trunk/Source/WebKit/ChangeLog	2020-06-10 22:23:35 UTC (rev 262864)
@@ -1,3 +1,18 @@
+2020-06-10  Brady Eidson  <[email protected]>
+
+        Crash growing a CFData with incremental PDF loading.
+        <rdar://problem/63670403> and https://bugs.webkit.org/show_bug.cgi?id=213035
+
+        Reviewed by Alex Christensen.
+
+        No test - No reliable way to trigger.
+
+        * WebProcess/Plugins/PDF/PDFPlugin.mm:
+        (WebKit::PDFPlugin::ensureDataBufferLength): When you call CFDataCreateMutable with a size other than 0,
+          your data object can never grow beyond that size.
+          And, in fact, CFData will crash on purpose when this is attempted.
+          So always create our mutable CFDatas with size 0 even if we immediately plan to grow them.
+
 2020-06-10  Jonathan Bedard  <[email protected]>
 
         WebKit: Add ClockKitSPI.h

Modified: trunk/Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm (262863 => 262864)


--- trunk/Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm	2020-06-10 22:03:12 UTC (rev 262863)
+++ trunk/Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm	2020-06-10 22:23:35 UTC (rev 262864)
@@ -1624,10 +1624,8 @@
 
 void PDFPlugin::ensureDataBufferLength(uint64_t targetLength)
 {
-    if (!m_data) {
-        m_data = adoptCF(CFDataCreateMutable(0, targetLength));
-        return;
-    }
+    if (!m_data)
+        m_data = adoptCF(CFDataCreateMutable(0, 0));
 
     auto currentLength = CFDataGetLength(m_data.get());
     ASSERT(currentLength >= 0);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes