Branch: refs/heads/webkitglib/2.38
Home: https://github.com/WebKit/WebKit
Commit: 87a8908368977e945744a964b929bd136d7664a1
https://github.com/WebKit/WebKit/commit/87a8908368977e945744a964b929bd136d7664a1
Author: Chirag M Shah <[email protected]>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M Source/WebCore/Modules/websockets/WebSocketDeflater.cpp
Log Message:
-----------
Cherry-pick 252432.940@safari-7614-branch (e34a3c3b5918).
rdar://problem/80071711
Fix int overflow leading to OOB write
rdar://problem/80071711
Reviewed by Chris Dumez and Ryan Haddad.
* Source/WebCore/Modules/websockets/WebSocketDeflater.cpp:
(WebCore::WebSocketDeflater::addBytes):
(WebCore::WebSocketDeflater::finish):
(WebCore::WebSocketInflater::addBytes):
(WebCore::WebSocketInflater::finish):
* Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:
(WebCore::RenderTreeBuilder::destroy):
(WebCore::RenderTreeBuilder::attach):
(WebCore::RenderTreeBuilder::attachToRenderElementInternal):
* Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::createTextRenderer):
Canonical link: https://commits.webkit.org/252432.940@safari-7614-branch
Commit: d12a9865c45835577955174cc86da4bf000f4aa5
https://github.com/WebKit/WebKit/commit/d12a9865c45835577955174cc86da4bf000f4aa5
Author: Charlie Wolfe <[email protected]>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
A
LayoutTests/http/tests/navigation/cross-origin-navigation-fires-onload-expected.txt
A
LayoutTests/http/tests/navigation/cross-origin-navigation-fires-onload.html
A LayoutTests/http/tests/navigation/resources/postmessage-on-hashchange.html
M Source/WebCore/loader/FrameLoader.cpp
Log Message:
-----------
Cherry-pick 252432.942@safari-7614-branch (d7af255eed5c).
https://bugs.webkit.org/show_bug.cgi?id=241753
cross origin iframe load event can be used for a malicious way
https://bugs.webkit.org/show_bug.cgi?id=241753
rdar://95467115
Reviewed by Chris Dumez and Ryan Haddad.
This bug describes an issue where it is possible to guess a URL that is
redirected to by a cross-origin iframe. To fix this, WebKit should fire a
load event when the direct parent frame is cross-origin.
This fix is very similar to what is described in https://crbug.com/1248444.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadInSameDocument):
*
LayoutTests/http/tests/navigation/cross-origin-navigation-fires-onload-expected.txt:
Added.
*
LayoutTests/http/tests/navigation/cross-origin-navigation-fires-onload.html:
Added.
*
LayoutTests/http/tests/navigation/resources/postmessage-on-hashchange.html:
Added.
Canonical link: https://commits.webkit.org/252432.942@safari-7614-branch
Commit: a462ab39cd5284c9dda5a03b0c1b79112be2c715
https://github.com/WebKit/WebKit/commit/a462ab39cd5284c9dda5a03b0c1b79112be2c715
Author: Rob Buis <[email protected]>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
A LayoutTests/fast/block/crash-empty-layoutStateStack-expected.txt
A LayoutTests/fast/block/crash-empty-layoutStateStack.html
M Source/WebCore/rendering/RenderBlock.cpp
Log Message:
-----------
Cherry-pick [email protected] (1d7abcd180ab).
https://bugs.webkit.org/show_bug.cgi?id=248771
Protect against empty layout state
https://bugs.webkit.org/show_bug.cgi?id=248771
Reviewed by Alan Baradlay.
Protect against empty layout state.
* LayoutTests/fast/block/crash-empty-layoutStateStack-expected.txt: Added.
* LayoutTests/fast/block/crash-empty-layoutStateStack.html: Added.
* Source/WebCore/rendering/RenderBlock.cpp:
(WebCore::RenderBlock::layoutPositionedObject):
(WebCore::RenderBlock::markForPaginationRelayoutIfNeeded):
Canonical link: https://commits.webkit.org/[email protected]
Commit: 4cc83dae19c5dbcf96f740bac271505a041abea2
https://github.com/WebKit/WebKit/commit/4cc83dae19c5dbcf96f740bac271505a041abea2
Author: Philippe Normand <[email protected]>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M Source/WebCore/platform/graphics/gstreamer/TextCombinerGStreamer.cpp
Log Message:
-----------
Cherry-pick 259419@main (537d68a65fe7).
https://bugs.webkit.org/show_bug.cgi?id=251142
[GStreamer][1.22] Critical warning in internal text combiner element
https://bugs.webkit.org/show_bug.cgi?id=251142
Reviewed by Xabier Rodriguez-Calvar.
The `concat` pad request was done with a pad template not belonging to the
element, so instead use
the simple request-pad API and let the element figure out the pad template
itself.
* Source/WebCore/platform/graphics/gstreamer/TextCombinerGStreamer.cpp:
(webkitTextCombinerRequestNewPad):
Canonical link: https://commits.webkit.org/259419@main
Commit: fe00271b8218ea548c30f4618f51ff16cce3e638
https://github.com/WebKit/WebKit/commit/fe00271b8218ea548c30f4618f51ff16cce3e638
Author: Angela Izquierdo Garcia <[email protected]>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M
Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.cpp
M
Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.h
Log Message:
-----------
Cherry-pick 252432.943@safari-7614-branch (c6249012752b).
https://bugs.webkit.org/show_bug.cgi?id=248288
Floating Point Exception in FEConvolveMatrixSoftwareApplier:: applyPatform
https://bugs.webkit.org/show_bug.cgi?id=248288
rdar://102137760
There is a division by zero due to the fact that sometimes there is one
variable much bigger than other that are implied in a division (clipBottom and
iterations) and as c++ rounds down it is consequently zero, which leads to the
subsequent exception.
Reviewed by Geoffrey Garen and David Kilzer.
*
Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.cpp:
(WebCore::FEConvolveMatrixSoftwareApplier::setInteriorPixels):
(WebCore::FEConvolveMatrixSoftwareApplier::applyPlatform const):
*
Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.h:
Canonical link: https://commits.webkit.org/252432.943@safari-7614-branch
Commit: 752cd835e110da78f58fae8154ea8e746ba76d30
https://github.com/WebKit/WebKit/commit/752cd835e110da78f58fae8154ea8e746ba76d30
Author: Chris Dumez <[email protected]>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back.html
A
LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache-expected.txt
A
LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache.html
R
LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache-expected.txt
R LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache.html
A
LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-1.html
A
LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-2.html
R
LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-1.html
R
LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-2.html
M
LayoutTests/fast/loader/stateobjects/resources/replacestate-in-iframe-window-child.html
M Source/WebCore/history/CachedPage.cpp
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebCore/loader/FrameLoader.h
M Source/WebKit/UIProcess/WebBackForwardList.cpp
M Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardList.mm
Log Message:
-----------
Cherry-pick 252432.944@safari-7614-branch (50b1632f78ae).
https://bugs.webkit.org/show_bug.cgi?id=248716
Tweak back/forward list hijacking prevention logic
https://bugs.webkit.org/show_bug.cgi?id=248716
rdar://102923240
Reviewed by Geoffrey Garen and Ryan Haddad.
Tweak back/forward list hijacking prevention logic for better protection
and to
align our behavior with Chrome.
In particular, let's consider this example:
Yahoo -> Yahoo#a (no userInteraction) -> Google -> Google#a (no user
interaction) -> Google#b (no user interaction)
If we're currently on Google#b and navigate backwards:
- Old behavior: We load Google
- New behavior: We load Yahoo#a
The new behavior makes sense since the user feels like they are on Google
(since Google#a & Google#b happened without user interaction) and the last
page they viewed before Google was Yahoo#b.
If we're on Yahoo#a and navigate forwards:
- Old behavior: We load Google
- New behavior: We load Google#b
The new behavior makes sense as a symmetry to the case above.
Now let's consider this example:
Yahoo -> Yahoo#a (no userInteraction) -> Google
If we're on Google and navigate backwards:
- Old behavior: we load Yahoo
- New behavior: We load Yahoo#a
Finally, with this example:
Yahoo -> Google -> Google#a (no user interaction) -> Google#b (no user
interaction)
If we're on Yahoo and navigate forwards:
- Old behavior: We load Google
- New behavior: We load Google#b
This patch also changes the behavior of the popstate event. We used to fire
the
popstate event for navigations that were not within the same document.
However,
this behavior wasn't aligned with the specification [1] or with other
browsers.
The exploit attached to the radar was also relying on this event to hijack
the
back/forward navigation and lock the user on a specific site.
I updated our code so that the popstate is now only fired for same-document
navigations and I updated our tests accordingly. I have verified that our
behavior is consistent with Blink on these new test versions.
*
LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back-expected.txt:
*
LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back-with-fragment-scroll-expected.txt:
*
LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back.html:
*
LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache-expected.txt:
Renamed from
LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache-expected.txt.
*
LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache.html:
Renamed from
LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache.html.
* LayoutTests/fast/loader/stateobjects/replacestate-in-iframe-expected.txt:
*
LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-1.html:
Renamed from
LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-1.html.
*
LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-2.html:
Added.
*
LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-2.html:
Removed.
*
LayoutTests/fast/loader/stateobjects/resources/replacestate-in-iframe-window-child.html:
* Source/WebCore/history/CachedPage.cpp:
(WebCore::firePageShowEvent):
(WebCore::CachedPage::restore):
(WebCore::firePageShowAndPopStateEvents): Deleted.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::didBeginDocument):
(WebCore::FrameLoader::transitionToCommitted):
* Source/WebCore/loader/FrameLoader.h:
* Source/WebKit/UIProcess/WebBackForwardList.cpp:
(WebKit::itemSkippingBackForwardItemsAddedByJSWithoutUserGesture):
* Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardList.mm:
(runBackForwardNavigationSkipsItemsWithoutUserGestureTest):
(TEST):
(runBackForwardNavigationDoesNotSkipItemsWithUserGestureTest):
Canonical link: https://commits.webkit.org/252432.944@safari-7614-branch
Commit: 704856b4b9e8c85b8720ca91634817eb6f790956
https://github.com/WebKit/WebKit/commit/704856b4b9e8c85b8720ca91634817eb6f790956
Author: Nikolaos Mouchtaris <[email protected]>
Date: 2023-02-01 (Wed, 01 Feb 2023)
Changed paths:
A LayoutTests/fast/scrolling/mac/smooth-scroll-fixed-element-expected.txt
A LayoutTests/fast/scrolling/mac/smooth-scroll-fixed-element.html
A LayoutTests/fast/scrolling/mac/smooth-scroll-iframe-expected.txt
A LayoutTests/fast/scrolling/mac/smooth-scroll-iframe.html
A
LayoutTests/fast/scrolling/resources/smooth-scroll-iframe-helper-iframe.html
M Source/WebCore/dom/Document.cpp
M Source/WebCore/page/FrameView.cpp
M Source/WebCore/page/FrameView.h
M Source/WebCore/page/scrolling/AsyncScrollingCoordinator.cpp
M Source/WebCore/platform/ScrollAnimator.cpp
M Source/WebCore/platform/ScrollableArea.h
M Source/WebCore/rendering/RenderLayerScrollableArea.cpp
M Source/WebCore/rendering/RenderLayerScrollableArea.h
Log Message:
-----------
Cherry-pick 257665@main (b08436732d9d).
https://bugs.webkit.org/show_bug.cgi?id=245300
REGRESSION (251454@main): Setting scrollTop on fixed element with overflow
breaks scrolling on a 'overscroll-behavior:none' page
https://bugs.webkit.org/show_bug.cgi?id=245300
<rdar://100057532>
Reviewed by Simon Fraser.
This fixes a few issues with https://commits.webkit.org/251454@main. The
first is the fix was originally only intended for
scroll-behavior: smooth, so only add the scrollable area when we are doing
an animated scroll. The second is to be more
strict when these non-user scrollable areas are in the frame view's list of
sccrollable areas. We accomplish this by
adding a call when the animation completes to updateScrollableAreaSet,
which will determine if the particular scrollable
area should be in the set after the animation completes. Finally, we add a
check to absoluteEventTrackingRegionsForFrame(),
to see if the scrollable area was added only because it needed to do an
animation.
* LayoutTests/fast/scrolling/mac/smooth-scroll-fixed-element-expected.txt:
Added.
* LayoutTests/fast/scrolling/mac/smooth-scroll-fixed-element.html: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::runScrollSteps):
* Source/WebCore/page/scrolling/AsyncScrollingCoordinator.cpp:
(WebCore::AsyncScrollingCoordinator::animatedScrollDidEndForNode):
* Source/WebCore/page/scrolling/ScrollingCoordinator.cpp:
(WebCore::ScrollingCoordinator::absoluteEventTrackingRegionsForFrame const):
* Source/WebCore/platform/ScrollAnimator.cpp:
(WebCore::ScrollAnimator::didStopAnimatedScroll):
* Source/WebCore/platform/ScrollableArea.h:
(WebCore::ScrollableArea::animatedScrollDidEnd):
* Source/WebCore/rendering/RenderLayerScrollableArea.cpp:
(WebCore::RenderLayerScrollableArea::scrollToOffset):
(WebCore::RenderLayerScrollableArea::registerScrollableAreaForAnimatedScroll):
(WebCore::RenderLayerScrollableArea::animatedScrollDidEnd):
(WebCore::RenderLayerScrollableArea::registerScrollableArea): Deleted.
* Source/WebCore/rendering/RenderLayerScrollableArea.h:
Canonical link: https://commits.webkit.org/257665@main
Commit: cc59c39e9af8434458f041aaca11f60bc1f0f16d
https://github.com/WebKit/WebKit/commit/cc59c39e9af8434458f041aaca11f60bc1f0f16d
Author: Nikolaos Mouchtaris <[email protected]>
Date: 2023-02-01 (Wed, 01 Feb 2023)
Changed paths:
A LayoutTests/fast/scrolling/mac/smooth-scroll-crash-expected.txt
A LayoutTests/fast/scrolling/mac/smooth-scroll-crash.html
M Source/WebCore/rendering/RenderLayerScrollableArea.cpp
Log Message:
-----------
Cherry-pick 252432.947@safari-7614-branch (2d531cf29dfa).
https://bugs.webkit.org/show_bug.cgi?id=249242
jsc_fuz/wktr: heap-use-after-free in
WebCore::ScrollableArea::existingScrollAnimator() const ScrollableArea.h:188
https://bugs.webkit.org/show_bug.cgi?id=249242
<rdar://103294792>
Reviewed by Simon Fraser and Ryan Haddad.
Remove scrollable area from m_scrollableAreasForAnimatedScroll
if scrollable area will be destroyed.
* LayoutTests/fast/scrolling/mac/smooth-scroll-crash-expected.txt: Added.
* LayoutTests/fast/scrolling/mac/smooth-scroll-crash.html: Added.
* Source/WebCore/rendering/RenderLayerScrollableArea.cpp:
(WebCore::RenderLayerScrollableArea::clear):
Canonical link: https://commits.webkit.org/252432.947@safari-7614-branch
Commit: 1ae8226dbb800c3ef7b3b540c7692fe85d1c4e77
https://github.com/WebKit/WebKit/commit/1ae8226dbb800c3ef7b3b540c7692fe85d1c4e77
Author: David Li <[email protected]>
Date: 2023-02-01 (Wed, 01 Feb 2023)
Changed paths:
A LayoutTests/webgl/webgl-multi-draw-noop-expected.txt
A LayoutTests/webgl/webgl-multi-draw-noop.html
M Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp
M Source/ThirdParty/ANGLE/src/libANGLE/Context.h
M Source/ThirdParty/ANGLE/src/libANGLE/Context.inl.h
Log Message:
-----------
Cherry-pick 252432.953@safari-7614-branch (e46603d76e04). rdar://94118546
[ANGLE] Add no-op check for ANGLE WEBGL_multi_draw functions
rdar://94118546
Reviewed by Jonathan Bedard and Kimmo Kinnunen.
* LayoutTests/webgl/webgl-multi-draw-noop-expected.txt: Added.
* LayoutTests/webgl/webgl-multi-draw-noop.html: Added.
* Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp:
(gl::Context::multiDrawArrays):
(gl::Context::multiDrawArraysInstanced):
(gl::Context::multiDrawElements):
(gl::Context::multiDrawElementsInstanced):
(gl::Context::multiDrawArraysInstancedBaseInstance):
(gl::Context::multiDrawElementsInstancedBaseVertexBaseInstance):
* Source/ThirdParty/ANGLE/src/libANGLE/Context.h:
* Source/ThirdParty/ANGLE/src/libANGLE/Context.inl.h:
(gl::Context::noopMultiDraw const):
Canonical link: https://commits.webkit.org/252432.953@safari-7614-branch
Compare: https://github.com/WebKit/WebKit/compare/35ecde32dfff...1ae8226dbb80
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
