[webkit-changes] [WebKit/WebKit] 494321: Cherry-pick 252432.1019@safari-7614-branch (198880...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 4943210909a2aeabf7c1e4c8be389b48761078c9 https://github.com/WebKit/WebKit/commit/4943210909a2aeabf7c1e4c8be389b48761078c9 Author: David Li Date: 2023-03-28 (Tue, 28 Mar 2023) Changed paths: A LayoutTests/editing/async-clipboard/clipboard-clear-expected.txt A LayoutTests/editing/async-clipboard/clipboard-clear.html M Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.cpp M Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.h Log Message: --- Cherry-pick 252432.1019@safari-7614-branch (1988807a5229). rdar://107319167 [Clipboard] Explicitly call completion on clearing ClipboardItemTypeLoader rdar://103307563 Reviewed by Jonathan Bedard and Wenson Hsieh. In m_itemTypeLoaders.clear(), ClipboardItemBindingsDataSource::invokeCompletionHandler() is called after all m_itemTypeLoaders released and traverses the itemTypeLoaders after itemTypeLoaders is clear but before the size is updated, causing nullptr accessment. So we should explicitly call completion before itemTypeLoader is released. * LayoutTests/editing/async-clipboard/clipboard-clear-expected.txt: Added. * LayoutTests/editing/async-clipboard/clipboard-clear.html: Added. * Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.cpp: (WebCore::ClipboardItemBindingsDataSource::clearItemTypeLoaders): (WebCore::ClipboardItemBindingsDataSource::collectDataForWriting): (WebCore::ClipboardItemBindingsDataSource::ClipboardItemTypeLoader::~ClipboardItemTypeLoader): * Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.h: Canonical link: https://commits.webkit.org/252432.1019@safari-7614-branch Canonical link: https://commits.webkit.org/262227@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] f94e3b: Cherry-pick 252432.1013@safari-7614-branch (1d545c...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: f94e3bc27f8f0012c0c1ebc1054fad5edb0881c0 https://github.com/WebKit/WebKit/commit/f94e3bc27f8f0012c0c1ebc1054fad5edb0881c0 Author: David Li Date: 2023-03-27 (Mon, 27 Mar 2023) Changed paths: A LayoutTests/animations/animation-set-effect-expected.txt A LayoutTests/animations/animation-set-effect.html M Source/WebCore/animation/CSSAnimation.cpp Log Message: --- Cherry-pick 252432.1013@safari-7614-branch (1d545c7ebfef). rdar://107285836 [Web Animations] CSSAnimation::setBindingsEffect should also add KeyFrames to overriddenProperties rdar://102137788 Reviewed by Jonathan Bedard and Antoine Quint. * LayoutTests/animations/animation-set-effect-expected.txt: Added. * LayoutTests/animations/animation-set-effect.html: Added. * Source/WebCore/animation/CSSAnimation.cpp: (WebCore::CSSAnimation::setBindingsEffect): Canonical link: https://commits.webkit.org/252432.1013@safari-7614-branch Canonical link: https://commits.webkit.org/262179@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] c20d51: [DOM] For range.extractContents(), abort early if ...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: c20d51c646be933823b7b50b3f9c1a4a36950fa7 https://github.com/WebKit/WebKit/commit/c20d51c646be933823b7b50b3f9c1a4a36950fa7 Author: David Li Date: 2023-03-07 (Tue, 07 Mar 2023) Changed paths: A LayoutTests/fast/dom/Range/range-commonroot-notfound-expected.txt A LayoutTests/fast/dom/Range/range-commonroot-notfound.html M Source/WebCore/dom/Range.cpp Log Message: --- [DOM] For range.extractContents(), abort early if there's a doctype in range https://bugs.webkit.org/show_bug.cgi?id=252805 rdar://103178567 Reviewed by Ryosuke Niwa. Check if doctype is contained in range before start extracting contents, if contained, return HierarchyRequestError. * LayoutTests/fast/dom/Range/range-commonroot-notfound-expected.txt: Added. * LayoutTests/fast/dom/Range/range-commonroot-notfound.html: Added. * Source/WebCore/dom/Range.cpp: (WebCore::Range::processContents): Canonical link: https://commits.webkit.org/261342@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 87a890: Cherry-pick 252432.940@safari-7614-branch (e34a3c3...
Branch: refs/heads/webkitglib/2.38 Home: https://github.com/WebKit/WebKit Commit: 87a8908368977e945744a964b929bd136d7664a1 https://github.com/WebKit/WebKit/commit/87a8908368977e945744a964b929bd136d7664a1 Author: Chirag M Shah Date: 2023-01-31 (Tue, 31 Jan 2023) Changed paths: M Source/WebCore/Modules/websockets/WebSocketDeflater.cpp Log Message: --- Cherry-pick 252432.940@safari-7614-branch (e34a3c3b5918). rdar://problem/80071711 Fix int overflow leading to OOB write rdar://problem/80071711 Reviewed by Chris Dumez and Ryan Haddad. * Source/WebCore/Modules/websockets/WebSocketDeflater.cpp: (WebCore::WebSocketDeflater::addBytes): (WebCore::WebSocketDeflater::finish): (WebCore::WebSocketInflater::addBytes): (WebCore::WebSocketInflater::finish): * Source/WebCore/rendering/updating/RenderTreeBuilder.cpp: (WebCore::RenderTreeBuilder::destroy): (WebCore::RenderTreeBuilder::attach): (WebCore::RenderTreeBuilder::attachToRenderElementInternal): * Source/WebCore/rendering/updating/RenderTreeUpdater.cpp: (WebCore::RenderTreeUpdater::createTextRenderer): Canonical link: https://commits.webkit.org/252432.940@safari-7614-branch Commit: d12a9865c45835577955174cc86da4bf000f4aa5 https://github.com/WebKit/WebKit/commit/d12a9865c45835577955174cc86da4bf000f4aa5 Author: Charlie Wolfe Date: 2023-01-31 (Tue, 31 Jan 2023) Changed paths: A LayoutTests/http/tests/navigation/cross-origin-navigation-fires-onload-expected.txt A LayoutTests/http/tests/navigation/cross-origin-navigation-fires-onload.html A LayoutTests/http/tests/navigation/resources/postmessage-on-hashchange.html M Source/WebCore/loader/FrameLoader.cpp Log Message: --- Cherry-pick 252432.942@safari-7614-branch (d7af255eed5c). https://bugs.webkit.org/show_bug.cgi?id=241753 cross origin iframe load event can be used for a malicious way https://bugs.webkit.org/show_bug.cgi?id=241753 rdar://95467115 Reviewed by Chris Dumez and Ryan Haddad. This bug describes an issue where it is possible to guess a URL that is redirected to by a cross-origin iframe. To fix this, WebKit should fire a load event when the direct parent frame is cross-origin. This fix is very similar to what is described in https://crbug.com/1248444. * Source/WebCore/loader/FrameLoader.cpp: (WebCore::FrameLoader::loadInSameDocument): * LayoutTests/http/tests/navigation/cross-origin-navigation-fires-onload-expected.txt: Added. * LayoutTests/http/tests/navigation/cross-origin-navigation-fires-onload.html: Added. * LayoutTests/http/tests/navigation/resources/postmessage-on-hashchange.html: Added. Canonical link: https://commits.webkit.org/252432.942@safari-7614-branch Commit: a462ab39cd5284c9dda5a03b0c1b79112be2c715 https://github.com/WebKit/WebKit/commit/a462ab39cd5284c9dda5a03b0c1b79112be2c715 Author: Rob Buis Date: 2023-01-31 (Tue, 31 Jan 2023) Changed paths: A LayoutTests/fast/block/crash-empty-layoutStateStack-expected.txt A LayoutTests/fast/block/crash-empty-layoutStateStack.html M Source/WebCore/rendering/RenderBlock.cpp Log Message: --- Cherry-pick 256843.3@webkit-2022.12-embargoed (1d7abcd180ab). https://bugs.webkit.org/show_bug.cgi?id=248771 Protect against empty layout state https://bugs.webkit.org/show_bug.cgi?id=248771 Reviewed by Alan Baradlay. Protect against empty layout state. * LayoutTests/fast/block/crash-empty-layoutStateStack-expected.txt: Added. * LayoutTests/fast/block/crash-empty-layoutStateStack.html: Added. * Source/WebCore/rendering/RenderBlock.cpp: (WebCore::RenderBlock::layoutPositionedObject): (WebCore::RenderBlock::markForPaginationRelayoutIfNeeded): Canonical link: https://commits.webkit.org/256843.3@webkit-2022.12-embargoed Commit: 4cc83dae19c5dbcf96f740bac271505a041abea2 https://github.com/WebKit/WebKit/commit/4cc83dae19c5dbcf96f740bac271505a041abea2 Author: Philippe Normand Date: 2023-01-31 (Tue, 31 Jan 2023) Changed paths: M Source/WebCore/platform/graphics/gstreamer/TextCombinerGStreamer.cpp Log Message: --- Cherry-pick 259419@main (537d68a65fe7). https://bugs.webkit.org/show_bug.cgi?id=251142 [GStreamer][1.22] Critical warning in internal text combiner element https://bugs.webkit.org/show_bug.cgi?id=251142 Reviewed by Xabier Rodriguez-Calvar. The `concat` pad request was done with a pad template not belonging to the element, so instead use the simple request-pad API and let the element figure out the pad template itself. * Source/WebCore/platform/graphics/gstreamer/TextCombinerGStreamer.cpp: (webkitTextCombinerRequestNewPad): Canonical link: https://commits.webkit.org/259419@main Commit: fe00271b8218ea548c30f4618f51ff16cce3e638
[webkit-changes] [WebKit/WebKit] 6ab74d: Cherry-pick 252432.953@safari-7614-branch (e46603d...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 6ab74de7429060a6324a7b365c0d8c6bb0b232b1 https://github.com/WebKit/WebKit/commit/6ab74de7429060a6324a7b365c0d8c6bb0b232b1 Author: David Li Date: 2023-01-26 (Thu, 26 Jan 2023) Changed paths: A LayoutTests/webgl/webgl-multi-draw-noop-expected.txt A LayoutTests/webgl/webgl-multi-draw-noop.html M Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp M Source/ThirdParty/ANGLE/src/libANGLE/Context.h M Source/ThirdParty/ANGLE/src/libANGLE/Context.inl.h Log Message: --- Cherry-pick 252432.953@safari-7614-branch (e46603d76e04). rdar://104665495 [ANGLE] Add no-op check for ANGLE WEBGL_multi_draw functions rdar://94118546 Reviewed by Jonathan Bedard and Kimmo Kinnunen. * LayoutTests/webgl/webgl-multi-draw-noop-expected.txt: Added. * LayoutTests/webgl/webgl-multi-draw-noop.html: Added. * Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp: (gl::Context::multiDrawArrays): (gl::Context::multiDrawArraysInstanced): (gl::Context::multiDrawElements): (gl::Context::multiDrawElementsInstanced): (gl::Context::multiDrawArraysInstancedBaseInstance): (gl::Context::multiDrawElementsInstancedBaseVertexBaseInstance): * Source/ThirdParty/ANGLE/src/libANGLE/Context.h: * Source/ThirdParty/ANGLE/src/libANGLE/Context.inl.h: (gl::Context::noopMultiDraw const): Canonical link: https://commits.webkit.org/252432.953@safari-7614-branch Canonical link: https://commits.webkit.org/259450@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 8efc8d: Cherry-pick 252432.776@safari-7614-branch (75391ce...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 8efc8d987bd1ec420dcf3b2e9eea304f68142679 https://github.com/WebKit/WebKit/commit/8efc8d987bd1ec420dcf3b2e9eea304f68142679 Author: David Li Date: 2022-12-19 (Mon, 19 Dec 2022) Changed paths: A LayoutTests/compositing/scrolling/async-overflow-scrolling/disconnected-frame-is-loaded-expected.txt A LayoutTests/compositing/scrolling/async-overflow-scrolling/disconnected-frame-is-loaded.html Log Message: --- Cherry-pick 252432.776@safari-7614-branch (75391ceaaa91). rdar://100372312 Add test case for loading a discooencted frame https://bugs.webkit.org/show_bug.cgi?id=245814 rdar://100372312 Reviewed by David Kilzer. * LayoutTests/compositing/scrolling/async-overflow-scrolling/disconnected-frame-is-loaded-expected.txt: Added. * LayoutTests/compositing/scrolling/async-overflow-scrolling/disconnected-frame-is-loaded.html: Added. Canonical link: https://commits.webkit.org/252432.776@safari-7614-branch Canonical link: https://commits.webkit.org/258108@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes