Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: dc24f31e117d804296b6b5a1fa56014a6e9fe21a
https://github.com/WebKit/WebKit/commit/dc24f31e117d804296b6b5a1fa56014a6e9fe21a
Author: Chris Dumez <[email protected]>
Date: 2026-06-04 (Thu, 04 Jun 2026)
Changed paths:
M Source/WebCore/platform/mac/HIDDevice.cpp
Log Message:
-----------
Potential null deref in HIDDevice::uniqueInputElementsInDeviceTreeOrder when
an HID collection has no children
https://bugs.webkit.org/show_bug.cgi?id=316177
Reviewed by Basuke Suzuki.
`IOHIDElementGetChildren()` may return NULL for an HID collection
element that has no children, and `CFArrayGetCount(NULL)` is undefined
behavior. The sibling code path that handles `IOHIDDeviceCopyMatchingElements`
(a few lines above) already defends against this:
RetainPtr elements = adoptCF(IOHIDDeviceCopyMatchingElements(...));
CFIndex count = elements ? CFArrayGetCount(elements.get()) : 0;
The collection branch added in 227779@main did not adopt the same
guard:
```
RetainPtr children = IOHIDElementGetChildren(element.get());
for (CFIndex i = CFArrayGetCount(children.get()) - 1; i >= 0; --i)
elementQueue.prepend(checked_cf_cast(CFArrayGetValueAtIndex(children.get(),
i)));
```
Apply the same defensive pattern so a childless collection does not
crash.
* Source/WebCore/platform/mac/HIDDevice.cpp:
(WebCore::HIDDevice::uniqueInputElementsInDeviceTreeOrder const):
Canonical link: https://commits.webkit.org/314593@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
