Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d4b40e10edf70074195fa76e9ffdc52962a3f04b
https://github.com/WebKit/WebKit/commit/d4b40e10edf70074195fa76e9ffdc52962a3f04b
Author: Youenn Fablet <[email protected]>
Date: 2026-07-03 (Fri, 03 Jul 2026)
Changed paths:
A
LayoutTests/ipc/LocalSampleBufferDisplayLayer-flushAndRemoveImage-cross-thread-uaf-expected.txt
A
LayoutTests/ipc/LocalSampleBufferDisplayLayer-flushAndRemoveImage-cross-thread-uaf.html
M LayoutTests/platform/glib/TestExpectations
M
Source/WebCore/platform/graphics/avfoundation/objc/LocalSampleBufferDisplayLayer.mm
Log Message:
-----------
[WebKit] Cross-thread use-after-free in RemoteSampleBufferDisplayLayer via
off-main layerErrorDidChange() from FlushAndRemoveImage @catch
rdar://176482856
Reviewed by Jean-Yves Avenard.
LocalSampleBufferDisplayLayer::flushAndRemoveImage() dispatches onto
m_processingQueue,
and the @catch branch called layerErrorDidChange() directly on that background
queue.
layerErrorDidChange() dereferences the non-thread-safe
WeakPtr<SampleBufferDisplayLayerClient> m_client
and invokes virtual methods on its RemoteSampleBufferDisplayLayer client,
while RemoteSampleBufferDisplayLayerManager::releaseLayer() is dropping the
last Ref on the main runloop.
Bounce the @catch handler to the main runloop via callOnMainThread so
layerErrorDidChange() runs on the expected thread.
*
LayoutTests/ipc/LocalSampleBufferDisplayLayer-flushAndRemoveImage-cross-thread-uaf-expected.txt:
Added.
Patch mostly done by Simon Lewis.
*
LayoutTests/ipc/LocalSampleBufferDisplayLayer-flushAndRemoveImage-cross-thread-uaf.html:
Added.
* LayoutTests/platform/glib/TestExpectations:
*
Source/WebCore/platform/graphics/avfoundation/objc/LocalSampleBufferDisplayLayer.mm:
(WebCore::LocalSampleBufferDisplayLayer::flushAndRemoveImage):
Hop to the main thread before calling layerErrorDidChange().
Originally-landed-as: 305413.884@safari-7624-branch (150ce323b07b).
rdar://180437609
Canonical link: https://commits.webkit.org/316484@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications