Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ec0b6a54937e081b2428f1b6b43425ad50926df2
https://github.com/WebKit/WebKit/commit/ec0b6a54937e081b2428f1b6b43425ad50926df2
Author: Pascoe <[email protected]>
Date: 2026-07-10 (Fri, 10 Jul 2026)
Changed paths:
M Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp
Log Message:
-----------
[WebAuthn] Null check m_pendingRequest before dereferencing it in PIN
callbacks
https://bugs.webkit.org/show_bug.cgi?id=318993
rdar://181709823
Reviewed by Abrar Rahman Protyasha.
The completion callbacks created in requestPin() and requestNewPin() capture a
WeakPtr to the AuthenticatorManager and correctly bail out if the manager has
gone away. However, they then unconditionally dereference m_pendingRequest to
cache the entered PIN. m_pendingRequest is a std::optional that is reset
whenever the pending request is cancelled, times out, or is replaced, so if the
manager outlives the request the callback dereferences a disengaged optional
and we crash.
This patch guards the dereference on m_pendingRequest being engaged, matching
the checks already used by the surrounding synchronous code paths. When there
is no longer a pending request there is nothing to cache the PIN into, so we
invoke the completion handler with a null string and return, the same way we
already handle a null manager.
* Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp:
(WebKit::AuthenticatorManager::requestPin):
(WebKit::AuthenticatorManager::requestNewPin):
Canonical link: https://commits.webkit.org/316914@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications