Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: f554fc01c126e03b1ec6c14592f090a3f725d6e2 https://github.com/WebKit/WebKit/commit/f554fc01c126e03b1ec6c14592f090a3f725d6e2 Author: Antoine Quint <grao...@apple.com> Date: 2023-01-18 (Wed, 18 Jan 2023)
Changed paths: M Source/WebCore/PlatformAppleWin.cmake M Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp M Source/WebCore/platform/graphics/ca/PlatformCAAnimation.cpp M Source/WebCore/platform/graphics/ca/PlatformCAAnimation.h M Source/WebCore/platform/graphics/ca/PlatformCAFilters.h M Source/WebCore/platform/graphics/ca/cocoa/PlatformCAFiltersCocoa.mm M Source/WebCore/platform/graphics/ca/win/PlatformCAFiltersWin.cpp M Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCAAnimationRemote.mm M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj A Tools/TestWebKitAPI/Tests/WebCore/PlatformCAAnimationKeyPath.cpp Log Message: ----------- Validate animation key paths sent over IPC https://bugs.webkit.org/show_bug.cgi?id=250510 rdar://102433824 Reviewed by Simon Fraser. We use CAAnimation subclasses to perform certain type of animations that can be accelerated on Cocoa ports. On iOS, we run those animations in the UIProcess where the target CALayer objects are hosted. The `keyPath` for each of those animations is encoded and transmitted to the UIProcess as a string. However, the way these key paths are handled by Core Animation, unexpected strings with certain symbols, such as `dealloc`, could wreak havoc and compromise the UIProcess. We add static methods to PlatformCAAnimation to create such key paths in GraphicsLayerCA. Then we assert the key path is valid before it is sent over in the PlatformCAAnimationRemote constructor, which is run in the WebProcess, and assert again in the static function addAnimationToLayer() before CAAnimation objects are created in the UIProcess, returning early in case the key path turns out to be invalid. * Source/WebCore/PlatformAppleWin.cmake: * Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp: (WebCore::GraphicsLayerCA::updateAnimations): (WebCore::GraphicsLayerCA::createAnimationFromKeyframes): (WebCore::GraphicsLayerCA::appendToUncommittedAnimations): (WebCore::propertyIdToString): Deleted. * Source/WebCore/platform/graphics/ca/PlatformCAAnimation.cpp: (WebCore::PlatformCAAnimation::makeGroupKeyPath): (WebCore::PlatformCAAnimation::makeKeyPath): (WebCore::isValidFilterKeyPath): (WebCore::PlatformCAAnimation::isValidKeyPath): * Source/WebCore/platform/graphics/ca/PlatformCAAnimation.h: * Source/WebCore/platform/graphics/ca/PlatformCAFilters.h: * Source/WebCore/platform/graphics/ca/cocoa/PlatformCAFiltersCocoa.mm: (WebCore::PlatformCAFilters::filterValueForOperation): (WebCore::PlatformCAFilters::animatedFilterPropertyName): (WebCore::PlatformCAFilters::isValidAnimatedFilterPropertyName): * Source/WebCore/platform/graphics/ca/win/PlatformCAFiltersWin.cpp: (PlatformCAFilters::animatedFilterPropertyName): (PlatformCAFilters::isValidAnimatedFilterPropertyName): * Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCAAnimationRemote.mm: (WebKit::PlatformCAAnimationRemote::PlatformCAAnimationRemote): (WebKit::addAnimationToLayer): * Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj: * Tools/TestWebKitAPI/Tests/WebCore/PlatformCAAnimationKeyPath.cpp: Added. (TestWebKitAPI::TEST): (TestWebKitAPI::validateGeneratedKeyPath): Canonical link: https://commits.webkit.org/259066@main _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes