Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4d861ff045d4ce0cc26414854fbb422b0299960f
https://github.com/WebKit/WebKit/commit/4d861ff045d4ce0cc26414854fbb422b0299960f
Author: Nicole Rosario <[email protected]>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/ipc/argumentParser.js
A LayoutTests/ipc/fuzz_tools.js
A LayoutTests/ipc/media-player-invalid-test-expected.txt
A LayoutTests/ipc/media-player-invalid-test.html
M Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.cpp
M Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.h
Log Message:
-----------
[CoreIPC] heap-use-after-free in
WebCore::MockMediaSourcePrivate::markEndOfStream
rdar://115982856
Reviewed by Jean-Yves Avenard and Eric Carlson.
Error only hit in internal testing. Object was referenced after deletion.
Updated `MockMediaPlayer` to use weak pointer for `m_player` instead of
reference and added checks to methods to check that `m_player` exists before
trying to read/write
* Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.cpp: added
check that `m_player` exists before accessing
* Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.h: changed
`m_player` to weak pointer instead of a reference
* Source/WebCore/platform/mock/mediasource/MockSourceBufferPrivate.cpp:
(WebCore::MockSourceBufferPrivate::readyState const):
(WebCore::MockSourceBufferPrivate::setReadyState):
Originally-landed-as: 267815.570@safari-7617-branch (fc6f62059d44).
rdar://121481507
Canonical link: https://commits.webkit.org/273428@main
Commit: 622f92afdb426af016db98987bbe36b87c9098f5
https://github.com/WebKit/WebKit/commit/622f92afdb426af016db98987bbe36b87c9098f5
Author: Nicole Rosario <[email protected]>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/fast/rendering/render-list-marker-select-expected.txt
A LayoutTests/fast/rendering/render-list-marker-select.html
M Source/WebCore/rendering/updating/RenderTreeBuilderList.cpp
Log Message:
-----------
jsc_fuz/wktr: null ptr deref in
WebCore::RenderMenuList::computeIntrinsicLogicalWidths
https://bugs.webkit.org/show_bug.cgi?id=264830
rdar://115721454
Reviewed by Alan Baradlay.
Null pointer dereference error caused by render tree being ordered incorrectly.
RenderListMarker
was being placed inside RenderMenuList, where RenderListMarker and
RenderMenuList should be on
the same level and in RenderListItem
* LayoutTests/fast/rendering/render-list-marker-select-expected.txt:
* LayoutTests/fast/rendering/render-list-marker-select.html:
* Source/WebCore/rendering/updating/RenderTreeBuilderList.cpp:
(WebCore::getParentOfFirstLineBox): added check to ensure RenderListMarker
isn't placed inside
RenderMenuList but can be placed at same level (ie, sibling)
Originally-landed-as: 267815.595@safari-7617-branch (2a1f2e7acfe2).
rdar://121481232
Canonical link: https://commits.webkit.org/273429@main
Commit: 15774fae27ec36386eddb171418ddcfe1c488c08
https://github.com/WebKit/WebKit/commit/15774fae27ec36386eddb171418ddcfe1c488c08
Author: David Kilzer <[email protected]>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
M
Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc
A
Source/ThirdParty/libwebrtc/WebKit/01-WebRTC-Stack-buffer-overflow-in-webrtc-anonymous_namespace-SsDataLength.patch
Log Message:
-----------
[WebRTC] Stack-buffer-overflow in webrtc::anonymous_namespace::SsDataLength()
in vp9 packetizer
https://bugs.webkit.org/show_bug.cgi?id=265727
<rdar://119074872>
Reviewed by Youenn Fablet.
*
Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc:
(webrtc::anonymous_namespace::SsDataLength):
- Change debug assertion into runtime check.
*
Source/ThirdParty/libwebrtc/WebKit/01-WebRTC-Stack-buffer-overflow-in-webrtc-anonymous_namespace-SsDataLength.patch:
Add.
Originally-landed-as: 267815.606@safari-7617-branch (f2ba7a5d0dd0).
rdar://121481147
Canonical link: https://commits.webkit.org/273430@main
Commit: bb644de42b02991f8e878e917b2df008a9a17a3e
https://github.com/WebKit/WebKit/commit/bb644de42b02991f8e878e917b2df008a9a17a3e
Author: David Kilzer <[email protected]>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
M
Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc
A
Source/ThirdParty/libwebrtc/WebKit/0001-WebRTC-Out-of-bounds-crash-in-webrtc-anonymous_namespace-RemoveInactiveSpatialLayers.patch
Log Message:
-----------
[WebRTC] Out-of-bounds crash in
webrtc::anonymous_namespace::RemoveInactiveSpatialLayers() in vp9 packetizer
https://bugs.webkit.org/show_bug.cgi?id=265776
<rdar://119112931>
Reviewed by Youenn Fablet.
*
Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc:
(webrtc::anonymous_namespace::RemoveInactiveSpatialLayers):
- Add sanity check for RTPVideoHeaderVP9::num_spatial_layers. This
matches the check in SsDataLength(), but that's called later when
initializing fields in RtpPacketizerVp9.
*
Source/ThirdParty/libwebrtc/WebKit/0001-WebRTC-Out-of-bounds-crash-in-webrtc-anonymous_namespace-RemoveInactiveSpatialLayers.patch:
Add.
Originally-landed-as: 267815.607@safari-7617-branch (7fa29f992225).
rdar://121481068
Canonical link: https://commits.webkit.org/273431@main
Commit: 1e8c797c8799581ef47ad5a25f917064b1f40823
https://github.com/WebKit/WebKit/commit/1e8c797c8799581ef47ad5a25f917064b1f40823
Author: Nisha Jain <[email protected]>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
A LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt
A LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html
M Source/WebCore/platform/graphics/ShadowBlur.cpp
Log Message:
-----------
heap-buffer-overflow: crash under WebCore::ShadowBlur::blurLayerImage().
https://bugs.webkit.org/show_bug.cgi?id=264978
rdar://118004762.
Reviewed by Simon Fraser.
For very large box-shadow sizes due to floating point precision error,
ImageBuffer::getPixelBuffer returns 'PixelBuffer' size which
is not same as passed size.This causes buffer overflow/underflow
issue for these large sizes. In order to fix it now we use same
size as allocated 'PixelBuffer' size even though it could be slightly
different than original size.
* LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt: Added
test expected file.
* LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html: Added test case.
* Source/WebCore/platform/graphics/ShadowBlur.cpp:
(WebCore::ShadowBlur::blurShadowBuffer): Using same size as allocated pixel
buffer size.
Originally-landed-as: 267815.608@safari-7617-branch (e09e3cd2f3db).
rdar://121481090
Canonical link: https://commits.webkit.org/273432@main
Commit: 0abac9dcb7e3639246a7c64b4b54a7b855ab5d26
https://github.com/WebKit/WebKit/commit/0abac9dcb7e3639246a7c64b4b54a7b855ab5d26
Author: Youenn Fablet <[email protected]>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp
M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h
Log Message:
-----------
[macOS] WebContent crash in WTF::deallocateSendRightSafely under
~SharedVideoFrameWriter() (GUARD_TYPE_MACH_PORT :: INVALID_NAME)
rdar://114943202
Reviewed by Chris Dumez.
After https://bugs.webkit.org/show_bug.cgi?id=258379, we were creating the
writer lazily but the creation can be triggered from multiple threads at once.
Given SharedVideoFrameWriter is expected to be used on a single thread/queue,
we now protect it in RemoteDisplayListRecorderProxy with a lock.
* Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp:
(WebKit::RemoteDisplayListRecorderProxy::recordPaintVideoFrame):
(WebKit::RemoteDisplayListRecorderProxy::disconnect):
(WebKit::RemoteDisplayListRecorderProxy::ensureSharedVideoFrameWriter): Deleted.
* Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h:
Originally-landed-as: 267815.610@safari-7617-branch (8d4c34c20726).
rdar://121480967
Canonical link: https://commits.webkit.org/273433@main
Compare: https://github.com/WebKit/WebKit/compare/f3f8098013c2...0abac9dcb7e3
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
