Branch: refs/heads/webkitglib/2.38 Home: https://github.com/WebKit/WebKit Commit: e72817e76a462a0bfc9c1c5514c3f2f3479d10a7 https://github.com/WebKit/WebKit/commit/e72817e76a462a0bfc9c1c5514c3f2f3479d10a7 Author: Arunsundar Kannan <arunsundar_kan...@apple.com> Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths: A LayoutTests/fast/forms/textfield-input-type-crash-onblur-expected.txt A LayoutTests/fast/forms/textfield-input-type-crash-onblur.html M Source/WebCore/html/HTMLInputElement.cpp M Source/WebCore/html/HTMLOptionElement.cpp M Source/WebCore/html/TextFieldInputType.cpp Log Message: ----------- Cherry-pick 252432.838@safari-7614-branch (665170902bfa). https://bugs.webkit.org/show_bug.cgi?id=247389 UAF crash occurs during a style update when an older freed HTMLElement is accessed https://bugs.webkit.org/show_bug.cgi?id=247389 rdar://101420898 Reviewed by Ryosuke Niwa and Ryan Haddad. * LayoutTests/fast/forms/textfield-input-type-crash-onblur-expected.txt: Added. * LayoutTests/fast/forms/textfield-input-type-crash-onblur.html: Added. * Source/WebCore/html/HTMLInputElement.cpp: (WebCore::HTMLInputElement::dataListMayHaveChanged): * Source/WebCore/html/HTMLOptionElement.cpp: (WebCore::HTMLOptionElement::childrenChanged): * Source/WebCore/html/TextFieldInputType.cpp: (WebCore::TextFieldInputType::createDataListDropdownIndicator): (WebCore::TextFieldInputType::dataListMayHaveChanged): Canonical link: https://commits.webkit.org/252432.838@safari-7614-branch Commit: ee69ee950363d4ec41fbc397b841aa21c303eb59 https://github.com/WebKit/WebKit/commit/ee69ee950363d4ec41fbc397b841aa21c303eb59 Author: Chris Dumez <cdu...@apple.com> Date: 2023-01-31 (Tue, 31 Jan 2023) Changed paths: A LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash-expected.txt A LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash.html M Source/WebCore/dom/Document.cpp Log Message: ----------- Cherry-pick 252432.841@safari-7614-branch (a47510d4bcf4). https://bugs.webkit.org/show_bug.cgi?id=248111 Fix potential crash under IntersectionObserver::disconnect() https://bugs.webkit.org/show_bug.cgi?id=248111 rdar://100355921 Reviewed by Jonathan Bedard and Ryosuke Niwa. Make sure we protect the intersection observers and resize observers before calling disconnect() on them in Document::commonTeardown(). This is a speculative fix to address the crash in the radar, which I was unable to reproduce. * LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash-expected.txt: Added. * LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash.html: Added. Include test from the radar, even though it didn't reproduce the issue for me. * Source/WebCore/dom/Document.cpp: (WebCore::Document::commonTeardown): Canonical link: https://commits.webkit.org/252432.841@safari-7614-branch Commit: 2ee4be61cb23e858618fdc7c63b095e7635f6029 https://github.com/WebKit/WebKit/commit/2ee4be61cb23e858618fdc7c63b095e7635f6029 Author: Dan Glastonbury <d...@apple.com> Date: 2023-01-31 (Tue, 31 Jan 2023) Changed paths: M Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp Log Message: ----------- Cherry-pick 252432.896@safari-7614-branch (91df735c5c49). rdar://98583503 [WebGL] Harden texImageImpl byte length calculation rdar://98583503 Reviewed by Kimmo Kinnunen and Ryan Haddad. The calculation of the image size has been validated earlier but out of an abundance of caution, use checked arithmetic on size_t to perform calculation, returning a GL error on overflow. * Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp: (WebCore::WebGLRenderingContextBase::texImageImpl): Calculate imagePixelsByteLength with checked arithmetic to catch integer overflow. Canonical link: https://commits.webkit.org/252432.896@safari-7614-branch Commit: dfb14621447bf8d6f565cb8fac734ed9890e246e https://github.com/WebKit/WebKit/commit/dfb14621447bf8d6f565cb8fac734ed9890e246e Author: Alex Christensen <achristen...@apple.com> Date: 2023-01-31 (Tue, 31 Jan 2023) Changed paths: M Source/WebKit/WebProcess/WebCoreSupport/SessionStateConversion.cpp M Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardList.mm Log Message: ----------- Cherry-pick 252432.898@safari-7614-branch (57748248ae92). https://bugs.webkit.org/show_bug.cgi?id=248664 Truncate title before adding to _WKSessionState https://bugs.webkit.org/show_bug.cgi?id=248664 rdar://102444516 Reviewed by Chris Dumez, Mark Gee, and Jonathan Bedard. Truncate the title to 1000 characters like we do everywhere else we send the title from the web content process. * Source/WebKit/WebProcess/WebCoreSupport/SessionStateConversion.cpp: (WebKit::toBackForwardListItemState): * Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardList.mm: (TEST): Canonical link: https://commits.webkit.org/252432.898@safari-7614-branch Commit: 35ecde32dfff55d1afd332047651da077426fb95 https://github.com/WebKit/WebKit/commit/35ecde32dfff55d1afd332047651da077426fb95 Author: Claudio Saavedra <csaave...@igalia.com> Date: 2023-01-31 (Tue, 31 Jan 2023) Changed paths: A LayoutTests/http/tests/security/embedded-self-reference-after-url-modified-expected.txt A LayoutTests/http/tests/security/embedded-self-reference-after-url-modified.html M Source/WebCore/html/HTMLFrameOwnerElement.cpp Log Message: ----------- Cherry-pick 256843.2@webkit-2022.12-embargoed (155bed739000). https://bugs.webkit.org/show_bug.cgi?id=248469 HTMLFrameOwnerElement: use Document::creationURL() for self-reference check https://bugs.webkit.org/show_bug.cgi?id=248469 Reviewed by Darin Adler. Document::url() can be changed through the History API, therefore it's not a reliable source to verify whether a given URL is self-referencing. Use creationURL instead, which is immutable. * LayoutTests/http/tests/security/embedded-self-reference-after-url-modified-expected.txt: Added. * LayoutTests/http/tests/security/embedded-self-reference-after-url-modified.html: Added. * Source/WebCore/html/HTMLFrameOwnerElement.cpp: (WebCore::HTMLFrameOwnerElement::isProhibitedSelfReference const): Canonical link: https://commits.webkit.org/256843.2@webkit-2022.12-embargoed Compare: https://github.com/WebKit/WebKit/compare/33fc68e77ae8...35ecde32dfff _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes