Skip to site navigation (Press enter)

[webkit-changes] [289794] trunk

commit-queue Tue, 15 Feb 2022 01:05:18 -0800

Title: [289794] trunk

Revision: 289794
Author: [email protected]
Date: 2022-02-15 01:04:27 -0800 (Tue, 15 Feb 2022)

Log Message

null ptr deref in WebCore::HTMLModelElement::enterFullscreen()
https://bugs.webkit.org/show_bug.cgi?id=236409


Patch by Gabriel Nava Marino <[email protected]> on 2022-02-15
Reviewed by Darin Adler.

Source/WebCore:

m_modelPlayer is a RefPtr that can become nullptr, so it needs a check before
dereferencing in HTMLModelElement::enterFullscreen(), as is done in other parts of
this class.

Also added a similar check missing in HTMLModelElement::platformLayer(), which was identified via code inspection.

Test: model-element/model-element-enter-fullscreen-crash.html

* Modules/model-element/HTMLModelElement.cpp:
(WebCore::HTMLModelElement::platformLayer const):
(WebCore::HTMLModelElement::enterFullscreen):

LayoutTests:

* model-element/model-element-enter-fullscreen-crash-expected.txt: Added.
* model-element/model-element-enter-fullscreen-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/Modules/model-element/HTMLModelElement.cpp

Added Paths

trunk/LayoutTests/model-element/model-element-enter-fullscreen-crash-expected.txt
trunk/LayoutTests/model-element/model-element-enter-fullscreen-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (289793 => 289794)


--- trunk/LayoutTests/ChangeLog	2022-02-15 08:36:26 UTC (rev 289793)
+++ trunk/LayoutTests/ChangeLog	2022-02-15 09:04:27 UTC (rev 289794)
@@ -1,3 +1,13 @@
+2022-02-15  Gabriel Nava Marino  <[email protected]>
+
+        null ptr deref in WebCore::HTMLModelElement::enterFullscreen()
+        https://bugs.webkit.org/show_bug.cgi?id=236409
+
+        Reviewed by Darin Adler.
+
+        * model-element/model-element-enter-fullscreen-crash-expected.txt: Added.
+        * model-element/model-element-enter-fullscreen-crash.html: Added.
+
 2022-02-15  Carlos Garcia Campos  <[email protected]>
 
         REGRESSION(r195447): [GTK] document.activeElement not set on mouse click

Added: trunk/LayoutTests/model-element/model-element-enter-fullscreen-crash-expected.txt (0 => 289794)


--- trunk/LayoutTests/model-element/model-element-enter-fullscreen-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/model-element/model-element-enter-fullscreen-crash-expected.txt	2022-02-15 09:04:27 UTC (rev 289794)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: This test passes if it does not crash.
+

Added: trunk/LayoutTests/model-element/model-element-enter-fullscreen-crash.html (0 => 289794)


--- trunk/LayoutTests/model-element/model-element-enter-fullscreen-crash.html	                        (rev 0)
+++ trunk/LayoutTests/model-element/model-element-enter-fullscreen-crash.html	2022-02-15 09:04:27 UTC (rev 289794)
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script>
+  document.createElement('model').enterFullscreen();
+  _onload_ = () => {
+    if (window.testRunner)
+      testRunner.dumpAsText();
+    console.log("This test passes if it does not crash.");
+  };
+</script>

Modified: trunk/Source/WebCore/ChangeLog (289793 => 289794)


--- trunk/Source/WebCore/ChangeLog	2022-02-15 08:36:26 UTC (rev 289793)
+++ trunk/Source/WebCore/ChangeLog	2022-02-15 09:04:27 UTC (rev 289794)
@@ -1,3 +1,22 @@
+2022-02-15  Gabriel Nava Marino  <[email protected]>
+
+        null ptr deref in WebCore::HTMLModelElement::enterFullscreen()
+        https://bugs.webkit.org/show_bug.cgi?id=236409
+
+        Reviewed by Darin Adler.
+
+        m_modelPlayer is a RefPtr that can become nullptr, so it needs a check before
+        dereferencing in HTMLModelElement::enterFullscreen(), as is done in other parts of
+        this class.
+
+        Also added a similar check missing in HTMLModelElement::platformLayer(), which was identified via code inspection.
+
+        Test: model-element/model-element-enter-fullscreen-crash.html
+
+        * Modules/model-element/HTMLModelElement.cpp:
+        (WebCore::HTMLModelElement::platformLayer const):
+        (WebCore::HTMLModelElement::enterFullscreen):
+
 2022-02-15  Carlos Garcia Campos  <[email protected]>
 
         REGRESSION(r195447): [GTK] document.activeElement not set on mouse click

Modified: trunk/Source/WebCore/Modules/model-element/HTMLModelElement.cpp (289793 => 289794)


--- trunk/Source/WebCore/Modules/model-element/HTMLModelElement.cpp	2022-02-15 08:36:26 UTC (rev 289793)
+++ trunk/Source/WebCore/Modules/model-element/HTMLModelElement.cpp	2022-02-15 09:04:27 UTC (rev 289794)
@@ -274,7 +274,9 @@
 
 PlatformLayer* HTMLModelElement::platformLayer() const
 {
-    return m_modelPlayer->layer();
+    if (m_modelPlayer)
+        return m_modelPlayer->layer();
+    return nullptr;
 }
 
 void HTMLModelElement::sizeMayHaveChanged()
@@ -322,7 +324,8 @@
 
 void HTMLModelElement::enterFullscreen()
 {
-    m_modelPlayer->enterFullscreen();
+    if (m_modelPlayer)
+        m_modelPlayer->enterFullscreen();
 }
 
 // MARK: - Interaction support.

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes