[webkit-changes] [WebKit/WebKit] a4467a: Validate animation key paths sent over IPC

Tue, 17 Jan 2023 08:58:38 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a4467affde12ae99f88dc7114e6bc9b2b95cd062
      
https://github.com/WebKit/WebKit/commit/a4467affde12ae99f88dc7114e6bc9b2b95cd062
  Author: Antoine Quint <grao...@webkit.org>
  Date:   2023-01-17 (Tue, 17 Jan 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp
    M Source/WebCore/platform/graphics/ca/PlatformCAAnimation.cpp
    M Source/WebCore/platform/graphics/ca/PlatformCAAnimation.h
    M Source/WebCore/platform/graphics/ca/PlatformCAFilters.h
    M Source/WebCore/platform/graphics/ca/cocoa/PlatformCAFiltersCocoa.mm
    M 
Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCAAnimationRemote.mm
    M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
    A Tools/TestWebKitAPI/Tests/WebCore/PlatformCAAnimationKeyPath.cpp

  Log Message:
  -----------
  Validate animation key paths sent over IPC
https://bugs.webkit.org/show_bug.cgi?id=250510
rdar://102433824

Reviewed by Simon Fraser.

We use CAAnimation subclasses to perform certain type of animations that can be 
accelerated on Cocoa
ports. On iOS, we run those animations in the UIProcess where the target 
CALayer objects are hosted.
The `keyPath` for each of those animations is encoded and transmitted to the 
UIProcess as a string.
However, the way these key paths are handled by Core Animation, unexpected 
strings with certain symbols,
such as `dealloc`, could wreak havoc and compromise the UIProcess.

We add static methods to PlatformCAAnimation to create such key paths in 
GraphicsLayerCA. Then we assert
the key path is valid before it is sent over in the PlatformCAAnimationRemote 
constructor, which is run
in the WebProcess, and assert again in the static function 
addAnimationToLayer() before CAAnimation
objects are created in the UIProcess, returning early in case the key path 
turns out to be invalid.

* Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp:
(WebCore::GraphicsLayerCA::updateAnimations):
(WebCore::GraphicsLayerCA::createAnimationFromKeyframes):
(WebCore::GraphicsLayerCA::appendToUncommittedAnimations):
(WebCore::propertyIdToString): Deleted.
* Source/WebCore/platform/graphics/ca/PlatformCAAnimation.cpp:
(WebCore::PlatformCAAnimation::makeKeyPath):
(WebCore::isValidFilterKeyPath):
(WebCore::PlatformCAAnimation::isValidKeyPath):
* Source/WebCore/platform/graphics/ca/PlatformCAAnimation.h:
* Source/WebCore/platform/graphics/ca/PlatformCAFilters.h:
* Source/WebCore/platform/graphics/ca/cocoa/PlatformCAFiltersCocoa.mm:
(WebCore::PlatformCAFilters::filterValueForOperation):
(WebCore::PlatformCAFilters::animatedFilterPropertyName):
(WebCore::PlatformCAFilters::isValidAnimatedFilterPropertyName):
* Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCAAnimationRemote.mm:
(WebKit::PlatformCAAnimationRemote::PlatformCAAnimationRemote):
(WebKit::addAnimationToLayer):
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/WebCore/PlatformCAAnimationKeyPath.cpp: Added.
(TestWebKitAPI::TEST):
(TestWebKitAPI::validateGeneratedKeyPath):

Canonical link: https://commits.webkit.org/258986@main


_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to