Branch: refs/heads/webkitglib/2.38 Home: https://github.com/WebKit/WebKit Commit: 87a8908368977e945744a964b929bd136d7664a1 https://github.com/WebKit/WebKit/commit/87a8908368977e945744a964b929bd136d7664a1 Author: Chirag M Shah <chirag_m_s...@apple.com> Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths: M Source/WebCore/Modules/websockets/WebSocketDeflater.cpp Log Message: ----------- Cherry-pick 252432.940@safari-7614-branch (e34a3c3b5918). rdar://problem/80071711 Fix int overflow leading to OOB write rdar://problem/80071711 Reviewed by Chris Dumez and Ryan Haddad. * Source/WebCore/Modules/websockets/WebSocketDeflater.cpp: (WebCore::WebSocketDeflater::addBytes): (WebCore::WebSocketDeflater::finish): (WebCore::WebSocketInflater::addBytes): (WebCore::WebSocketInflater::finish): * Source/WebCore/rendering/updating/RenderTreeBuilder.cpp: (WebCore::RenderTreeBuilder::destroy): (WebCore::RenderTreeBuilder::attach): (WebCore::RenderTreeBuilder::attachToRenderElementInternal): * Source/WebCore/rendering/updating/RenderTreeUpdater.cpp: (WebCore::RenderTreeUpdater::createTextRenderer): Canonical link: https://commits.webkit.org/252432.940@safari-7614-branch Commit: d12a9865c45835577955174cc86da4bf000f4aa5 https://github.com/WebKit/WebKit/commit/d12a9865c45835577955174cc86da4bf000f4aa5 Author: Charlie Wolfe <charles_wo...@apple.com> Date: 2023-01-31 (Tue, 31 Jan 2023) Changed paths: A LayoutTests/http/tests/navigation/cross-origin-navigation-fires-onload-expected.txt A LayoutTests/http/tests/navigation/cross-origin-navigation-fires-onload.html A LayoutTests/http/tests/navigation/resources/postmessage-on-hashchange.html M Source/WebCore/loader/FrameLoader.cpp Log Message: ----------- Cherry-pick 252432.942@safari-7614-branch (d7af255eed5c). https://bugs.webkit.org/show_bug.cgi?id=241753 cross origin iframe load event can be used for a malicious way https://bugs.webkit.org/show_bug.cgi?id=241753 rdar://95467115 Reviewed by Chris Dumez and Ryan Haddad. This bug describes an issue where it is possible to guess a URL that is redirected to by a cross-origin iframe. To fix this, WebKit should fire a load event when the direct parent frame is cross-origin. This fix is very similar to what is described in https://crbug.com/1248444. * Source/WebCore/loader/FrameLoader.cpp: (WebCore::FrameLoader::loadInSameDocument): * LayoutTests/http/tests/navigation/cross-origin-navigation-fires-onload-expected.txt: Added. * LayoutTests/http/tests/navigation/cross-origin-navigation-fires-onload.html: Added. * LayoutTests/http/tests/navigation/resources/postmessage-on-hashchange.html: Added. Canonical link: https://commits.webkit.org/252432.942@safari-7614-branch Commit: a462ab39cd5284c9dda5a03b0c1b79112be2c715 https://github.com/WebKit/WebKit/commit/a462ab39cd5284c9dda5a03b0c1b79112be2c715 Author: Rob Buis <rb...@igalia.com> Date: 2023-01-31 (Tue, 31 Jan 2023) Changed paths: A LayoutTests/fast/block/crash-empty-layoutStateStack-expected.txt A LayoutTests/fast/block/crash-empty-layoutStateStack.html M Source/WebCore/rendering/RenderBlock.cpp Log Message: ----------- Cherry-pick 256843.3@webkit-2022.12-embargoed (1d7abcd180ab). https://bugs.webkit.org/show_bug.cgi?id=248771 Protect against empty layout state https://bugs.webkit.org/show_bug.cgi?id=248771 Reviewed by Alan Baradlay. Protect against empty layout state. * LayoutTests/fast/block/crash-empty-layoutStateStack-expected.txt: Added. * LayoutTests/fast/block/crash-empty-layoutStateStack.html: Added. * Source/WebCore/rendering/RenderBlock.cpp: (WebCore::RenderBlock::layoutPositionedObject): (WebCore::RenderBlock::markForPaginationRelayoutIfNeeded): Canonical link: https://commits.webkit.org/256843.3@webkit-2022.12-embargoed Commit: 4cc83dae19c5dbcf96f740bac271505a041abea2 https://github.com/WebKit/WebKit/commit/4cc83dae19c5dbcf96f740bac271505a041abea2 Author: Philippe Normand <ph...@igalia.com> Date: 2023-01-31 (Tue, 31 Jan 2023) Changed paths: M Source/WebCore/platform/graphics/gstreamer/TextCombinerGStreamer.cpp Log Message: ----------- Cherry-pick 259419@main (537d68a65fe7). https://bugs.webkit.org/show_bug.cgi?id=251142 [GStreamer][1.22] Critical warning in internal text combiner element https://bugs.webkit.org/show_bug.cgi?id=251142 Reviewed by Xabier Rodriguez-Calvar. The `concat` pad request was done with a pad template not belonging to the element, so instead use the simple request-pad API and let the element figure out the pad template itself. * Source/WebCore/platform/graphics/gstreamer/TextCombinerGStreamer.cpp: (webkitTextCombinerRequestNewPad): Canonical link: https://commits.webkit.org/259419@main Commit: fe00271b8218ea548c30f4618f51ff16cce3e638 https://github.com/WebKit/WebKit/commit/fe00271b8218ea548c30f4618f51ff16cce3e638 Author: Angela Izquierdo Garcia <a_izquierdogar...@apple.com> Date: 2023-01-31 (Tue, 31 Jan 2023) Changed paths: M Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.cpp M Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.h Log Message: ----------- Cherry-pick 252432.943@safari-7614-branch (c6249012752b). https://bugs.webkit.org/show_bug.cgi?id=248288 Floating Point Exception in FEConvolveMatrixSoftwareApplier:: applyPatform https://bugs.webkit.org/show_bug.cgi?id=248288 rdar://102137760 There is a division by zero due to the fact that sometimes there is one variable much bigger than other that are implied in a division (clipBottom and iterations) and as c++ rounds down it is consequently zero, which leads to the subsequent exception. Reviewed by Geoffrey Garen and David Kilzer. * Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.cpp: (WebCore::FEConvolveMatrixSoftwareApplier::setInteriorPixels): (WebCore::FEConvolveMatrixSoftwareApplier::applyPlatform const): * Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.h: Canonical link: https://commits.webkit.org/252432.943@safari-7614-branch Commit: 752cd835e110da78f58fae8154ea8e746ba76d30 https://github.com/WebKit/WebKit/commit/752cd835e110da78f58fae8154ea8e746ba76d30 Author: Chris Dumez <cdu...@apple.com> Date: 2023-01-31 (Tue, 31 Jan 2023) Changed paths: M LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back.html A LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache-expected.txt A LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache.html R LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache-expected.txt R LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache.html A LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-1.html A LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-2.html R LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-1.html R LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-2.html M LayoutTests/fast/loader/stateobjects/resources/replacestate-in-iframe-window-child.html M Source/WebCore/history/CachedPage.cpp M Source/WebCore/loader/FrameLoader.cpp M Source/WebCore/loader/FrameLoader.h M Source/WebKit/UIProcess/WebBackForwardList.cpp M Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardList.mm Log Message: ----------- Cherry-pick 252432.944@safari-7614-branch (50b1632f78ae). https://bugs.webkit.org/show_bug.cgi?id=248716 Tweak back/forward list hijacking prevention logic https://bugs.webkit.org/show_bug.cgi?id=248716 rdar://102923240 Reviewed by Geoffrey Garen and Ryan Haddad. Tweak back/forward list hijacking prevention logic for better protection and to align our behavior with Chrome. In particular, let's consider this example: Yahoo -> Yahoo#a (no userInteraction) -> Google -> Google#a (no user interaction) -> Google#b (no user interaction) If we're currently on Google#b and navigate backwards: - Old behavior: We load Google - New behavior: We load Yahoo#a The new behavior makes sense since the user feels like they are on Google (since Google#a & Google#b happened without user interaction) and the last page they viewed before Google was Yahoo#b. If we're on Yahoo#a and navigate forwards: - Old behavior: We load Google - New behavior: We load Google#b The new behavior makes sense as a symmetry to the case above. Now let's consider this example: Yahoo -> Yahoo#a (no userInteraction) -> Google If we're on Google and navigate backwards: - Old behavior: we load Yahoo - New behavior: We load Yahoo#a Finally, with this example: Yahoo -> Google -> Google#a (no user interaction) -> Google#b (no user interaction) If we're on Yahoo and navigate forwards: - Old behavior: We load Google - New behavior: We load Google#b This patch also changes the behavior of the popstate event. We used to fire the popstate event for navigations that were not within the same document. However, this behavior wasn't aligned with the specification [1] or with other browsers. The exploit attached to the radar was also relying on this event to hijack the back/forward navigation and lock the user on a specific site. I updated our code so that the popstate is now only fired for same-document navigations and I updated our tests accordingly. I have verified that our behavior is consistent with Blink on these new test versions. * LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back-expected.txt: * LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back-with-fragment-scroll-expected.txt: * LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back.html: * LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache-expected.txt: Renamed from LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache-expected.txt. * LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache.html: Renamed from LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache.html. * LayoutTests/fast/loader/stateobjects/replacestate-in-iframe-expected.txt: * LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-1.html: Renamed from LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-1.html. * LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-2.html: Added. * LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-2.html: Removed. * LayoutTests/fast/loader/stateobjects/resources/replacestate-in-iframe-window-child.html: * Source/WebCore/history/CachedPage.cpp: (WebCore::firePageShowEvent): (WebCore::CachedPage::restore): (WebCore::firePageShowAndPopStateEvents): Deleted. * Source/WebCore/loader/FrameLoader.cpp: (WebCore::FrameLoader::didBeginDocument): (WebCore::FrameLoader::transitionToCommitted): * Source/WebCore/loader/FrameLoader.h: * Source/WebKit/UIProcess/WebBackForwardList.cpp: (WebKit::itemSkippingBackForwardItemsAddedByJSWithoutUserGesture): * Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardList.mm: (runBackForwardNavigationSkipsItemsWithoutUserGestureTest): (TEST): (runBackForwardNavigationDoesNotSkipItemsWithUserGestureTest): Canonical link: https://commits.webkit.org/252432.944@safari-7614-branch Commit: 704856b4b9e8c85b8720ca91634817eb6f790956 https://github.com/WebKit/WebKit/commit/704856b4b9e8c85b8720ca91634817eb6f790956 Author: Nikolaos Mouchtaris <nmouchta...@apple.com> Date: 2023-02-01 (Wed, 01 Feb 2023) Changed paths: A LayoutTests/fast/scrolling/mac/smooth-scroll-fixed-element-expected.txt A LayoutTests/fast/scrolling/mac/smooth-scroll-fixed-element.html A LayoutTests/fast/scrolling/mac/smooth-scroll-iframe-expected.txt A LayoutTests/fast/scrolling/mac/smooth-scroll-iframe.html A LayoutTests/fast/scrolling/resources/smooth-scroll-iframe-helper-iframe.html M Source/WebCore/dom/Document.cpp M Source/WebCore/page/FrameView.cpp M Source/WebCore/page/FrameView.h M Source/WebCore/page/scrolling/AsyncScrollingCoordinator.cpp M Source/WebCore/platform/ScrollAnimator.cpp M Source/WebCore/platform/ScrollableArea.h M Source/WebCore/rendering/RenderLayerScrollableArea.cpp M Source/WebCore/rendering/RenderLayerScrollableArea.h Log Message: ----------- Cherry-pick 257665@main (b08436732d9d). https://bugs.webkit.org/show_bug.cgi?id=245300 REGRESSION (251454@main): Setting scrollTop on fixed element with overflow breaks scrolling on a 'overscroll-behavior:none' page https://bugs.webkit.org/show_bug.cgi?id=245300 <rdar://100057532> Reviewed by Simon Fraser. This fixes a few issues with https://commits.webkit.org/251454@main. The first is the fix was originally only intended for scroll-behavior: smooth, so only add the scrollable area when we are doing an animated scroll. The second is to be more strict when these non-user scrollable areas are in the frame view's list of sccrollable areas. We accomplish this by adding a call when the animation completes to updateScrollableAreaSet, which will determine if the particular scrollable area should be in the set after the animation completes. Finally, we add a check to absoluteEventTrackingRegionsForFrame(), to see if the scrollable area was added only because it needed to do an animation. * LayoutTests/fast/scrolling/mac/smooth-scroll-fixed-element-expected.txt: Added. * LayoutTests/fast/scrolling/mac/smooth-scroll-fixed-element.html: Added. * Source/WebCore/dom/Document.cpp: (WebCore::Document::runScrollSteps): * Source/WebCore/page/scrolling/AsyncScrollingCoordinator.cpp: (WebCore::AsyncScrollingCoordinator::animatedScrollDidEndForNode): * Source/WebCore/page/scrolling/ScrollingCoordinator.cpp: (WebCore::ScrollingCoordinator::absoluteEventTrackingRegionsForFrame const): * Source/WebCore/platform/ScrollAnimator.cpp: (WebCore::ScrollAnimator::didStopAnimatedScroll): * Source/WebCore/platform/ScrollableArea.h: (WebCore::ScrollableArea::animatedScrollDidEnd): * Source/WebCore/rendering/RenderLayerScrollableArea.cpp: (WebCore::RenderLayerScrollableArea::scrollToOffset): (WebCore::RenderLayerScrollableArea::registerScrollableAreaForAnimatedScroll): (WebCore::RenderLayerScrollableArea::animatedScrollDidEnd): (WebCore::RenderLayerScrollableArea::registerScrollableArea): Deleted. * Source/WebCore/rendering/RenderLayerScrollableArea.h: Canonical link: https://commits.webkit.org/257665@main Commit: cc59c39e9af8434458f041aaca11f60bc1f0f16d https://github.com/WebKit/WebKit/commit/cc59c39e9af8434458f041aaca11f60bc1f0f16d Author: Nikolaos Mouchtaris <nmouchta...@apple.com> Date: 2023-02-01 (Wed, 01 Feb 2023) Changed paths: A LayoutTests/fast/scrolling/mac/smooth-scroll-crash-expected.txt A LayoutTests/fast/scrolling/mac/smooth-scroll-crash.html M Source/WebCore/rendering/RenderLayerScrollableArea.cpp Log Message: ----------- Cherry-pick 252432.947@safari-7614-branch (2d531cf29dfa). https://bugs.webkit.org/show_bug.cgi?id=249242 jsc_fuz/wktr: heap-use-after-free in WebCore::ScrollableArea::existingScrollAnimator() const ScrollableArea.h:188 https://bugs.webkit.org/show_bug.cgi?id=249242 <rdar://103294792> Reviewed by Simon Fraser and Ryan Haddad. Remove scrollable area from m_scrollableAreasForAnimatedScroll if scrollable area will be destroyed. * LayoutTests/fast/scrolling/mac/smooth-scroll-crash-expected.txt: Added. * LayoutTests/fast/scrolling/mac/smooth-scroll-crash.html: Added. * Source/WebCore/rendering/RenderLayerScrollableArea.cpp: (WebCore::RenderLayerScrollableArea::clear): Canonical link: https://commits.webkit.org/252432.947@safari-7614-branch Commit: 1ae8226dbb800c3ef7b3b540c7692fe85d1c4e77 https://github.com/WebKit/WebKit/commit/1ae8226dbb800c3ef7b3b540c7692fe85d1c4e77 Author: David Li <jingye...@apple.com> Date: 2023-02-01 (Wed, 01 Feb 2023) Changed paths: A LayoutTests/webgl/webgl-multi-draw-noop-expected.txt A LayoutTests/webgl/webgl-multi-draw-noop.html M Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp M Source/ThirdParty/ANGLE/src/libANGLE/Context.h M Source/ThirdParty/ANGLE/src/libANGLE/Context.inl.h Log Message: ----------- Cherry-pick 252432.953@safari-7614-branch (e46603d76e04). rdar://94118546 [ANGLE] Add no-op check for ANGLE WEBGL_multi_draw functions rdar://94118546 Reviewed by Jonathan Bedard and Kimmo Kinnunen. * LayoutTests/webgl/webgl-multi-draw-noop-expected.txt: Added. * LayoutTests/webgl/webgl-multi-draw-noop.html: Added. * Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp: (gl::Context::multiDrawArrays): (gl::Context::multiDrawArraysInstanced): (gl::Context::multiDrawElements): (gl::Context::multiDrawElementsInstanced): (gl::Context::multiDrawArraysInstancedBaseInstance): (gl::Context::multiDrawElementsInstancedBaseVertexBaseInstance): * Source/ThirdParty/ANGLE/src/libANGLE/Context.h: * Source/ThirdParty/ANGLE/src/libANGLE/Context.inl.h: (gl::Context::noopMultiDraw const): Canonical link: https://commits.webkit.org/252432.953@safari-7614-branch Compare: https://github.com/WebKit/WebKit/compare/35ecde32dfff...1ae8226dbb80 _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes