Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: e8c9936f7249e11d2022762780b42b6b99fb5b20
https://github.com/WebKit/WebKit/commit/e8c9936f7249e11d2022762780b42b6b99fb5b20
Author: Abrar Rahman Protyasha <a_protya...@apple.com>
Date: 2025-09-11 (Thu, 11 Sep 2025)
Changed paths:
M Source/WebKit/WebProcess/Plugins/PDF/UnifiedPDF/UnifiedPDFPlugin.mm
Log Message:
-----------
REGRESSION(292234@main): Web content process may crash when removing PDF page
number indicator under WebPage::close()
https://bugs.webkit.org/show_bug.cgi?id=298710
rdar://158812619
Reviewed by Charlie Wolfe and Aditya Keerthi.
We have seen some bad memory access crash reports like:
```
<some-markable-class-method-access>
WebKit::WebPage::removePDFPageNumberIndicator(WebKit::PDFPluginBase&)
WebKit::UnifiedPDFPlugin::teardown()
WebKit::PDFPluginBase::destroy()
WebKit::PluginView::~PluginView()
```
... where the access address is 0xb0, i.e. an offset of 176 from null. A
memory layout of `WebPage` suggests `m_pdfPlugInWithPageNumberIndicator`
lives at that offset (expectedly so), meaning we are doing a null access
on the web page object.
This patch adds a null check on the web page before calling it from
UnifiedPDFPlugin::teardown().
* Source/WebKit/WebProcess/Plugins/PDF/UnifiedPDF/UnifiedPDFPlugin.mm:
(WebKit::UnifiedPDFPlugin::teardown):
Canonical link: https://commits.webkit.org/299866@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
