Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a23df0dfbec0c9df6dfee9ac5646d7f3665d85b4
https://github.com/WebKit/WebKit/commit/a23df0dfbec0c9df6dfee9ac5646d7f3665d85b4
Author: Nikolaos Mouchtaris <[email protected]>
Date: 2025-06-06 (Fri, 06 Jun 2025)
Changed paths:
A LayoutTests/fast/scrolling/mac/scrollbars/scrollbar-crash-expected.txt
A LayoutTests/fast/scrolling/mac/scrollbars/scrollbar-crash.html
M Source/WebCore/page/scrolling/mac/ScrollerMac.h
M Source/WebCore/page/scrolling/mac/ScrollerMac.mm
Log Message:
-----------
Apple Safari Scrollbar Animation Use-After-Free Remote Code Execution
Vulnerability
https://bugs.webkit.org/show_bug.cgi?id=289653
rdar://146505163
Reviewed by Simon Fraser and Chris Dumez.
Animations started by a WebScrollerImpDelegateMac have a chance of using a
stale ScrollerMac
value if that delegate is replaced without invalidating the delegate's
animations. Fix this by
calling invalidate on the WebScrollerImpDelegateMac before replacing it. Ensure
this type of issue
doesn't occur by refactoring WebScrollerImpDelegateMac and
WebScrollbarPartAnimationMac to use
smart pointers.
* Source/WebCore/page/scrolling/mac/ScrollerMac.h:
* Source/WebCore/page/scrolling/mac/ScrollerMac.mm:
(-[WebScrollerImpDelegateMac
setUpAlphaAnimation:featureToAnimate:animateAlphaTo:duration:]):
(-[WebScrollerImpDelegateMac
scrollerImp:animateUIStateTransitionWithDuration:]):
(-[WebScrollerImpDelegateMac
scrollerImp:animateExpansionTransitionWithDuration:]):
(WebCore::ScrollerMac::ref):
(WebCore::ScrollerMac::deref):
(WebCore::ScrollerMac::attach):
Originally-landed-as: 289651.311@safari-7621-branch (656bcbf0bc42).
rdar://151714223
Canonical link: https://commits.webkit.org/295925@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
