Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 880a52f6ce5945d71dc6b8190f388f22f18cc006
https://github.com/WebKit/WebKit/commit/880a52f6ce5945d71dc6b8190f388f22f18cc006
Author: Pedro Varangot <pvaran...@apple.com>
Date: 2025-08-15 (Fri, 15 Aug 2025)
Changed paths:
A
LayoutTests/ipc/LocalSampleBufferDisplayLayer-LogIdentifier-data-race-uaf-expected.txt
A
LayoutTests/ipc/LocalSampleBufferDisplayLayer-LogIdentifier-data-race-uaf.html
M Source/WebCore/platform/graphics/avfoundation/SampleBufferDisplayLayer.h
M
Source/WebCore/platform/graphics/avfoundation/objc/LocalSampleBufferDisplayLayer.h
M
Source/WebCore/platform/graphics/avfoundation/objc/LocalSampleBufferDisplayLayer.mm
M
Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaStreamAVFObjC.mm
M Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayer.h
M Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayer.messages.in
M Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayer.mm
M Source/WebKit/WebProcess/GPU/webrtc/SampleBufferDisplayLayer.cpp
M Source/WebKit/WebProcess/GPU/webrtc/SampleBufferDisplayLayer.h
Log Message:
-----------
Data race on LogIdentifier setter/use on LocalSampleBufferDisplayLayer can
lead to UAF
rdar://152079992
https://bugs.webkit.org/show_bug.cgi?id=293986
Reviewed by Chris Dumez.
This fixes the bug by using an integer instead of a string as the log identifier
*
LayoutTests/ipc/LocalSampleBufferDisplayLayer-LogIdentifier-data-race-uaf-expected.txt:
Added.
*
LayoutTests/ipc/LocalSampleBufferDisplayLayer-LogIdentifier-data-race-uaf.html:
Added.
* Source/WebCore/platform/graphics/avfoundation/SampleBufferDisplayLayer.h:
*
Source/WebCore/platform/graphics/avfoundation/objc/LocalSampleBufferDisplayLayer.h:
*
Source/WebCore/platform/graphics/avfoundation/objc/LocalSampleBufferDisplayLayer.mm:
(WebCore::LocalSampleBufferDisplayLayer::layerStatusDidChange):
(WebCore::LocalSampleBufferDisplayLayer::layerErrorDidChange):
(WebCore::LocalSampleBufferDisplayLayer::enqueueBufferInternal):
(WebCore::LocalSampleBufferDisplayLayer::onIrregularFrameRateNotification):
*
Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaStreamAVFObjC.mm:
(WebCore::MediaPlayerPrivateMediaStreamAVFObjC::layersAreInitialized):
* Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayer.cpp:
(WebKit::RemoteSampleBufferDisplayLayer::setLogIdentifier):
* Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayer.h:
* Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayer.messages.in:
* Source/WebKit/WebProcess/GPU/webrtc/SampleBufferDisplayLayer.cpp:
(WebKit::SampleBufferDisplayLayer::setLogIdentifier):
* Source/WebKit/WebProcess/GPU/webrtc/SampleBufferDisplayLayer.h:
Originally-landed-as: 289651.577@safari-7621-branch (87cbcc71660c).
rdar://157789662
Canonical link: https://commits.webkit.org/298771@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
