Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a73af3d73e478fc7a5190b3d83f5d0cc5ee96c03
https://github.com/WebKit/WebKit/commit/a73af3d73e478fc7a5190b3d83f5d0cc5ee96c03
Author: Abrar Rahman Protyasha <[email protected]>
Date: 2026-03-18 (Wed, 18 Mar 2026)
Changed paths:
A
LayoutTests/ipc/remote-user-input-event-data-with-empty-event-deque-expected.txt
A LayoutTests/ipc/remote-user-input-event-data-with-empty-event-deque.html
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
[Site Isolation] UI process crash via unchecked mouse event queue access
during DidReceiveEvent IPC handling
https://bugs.webkit.org/show_bug.cgi?id=310142
rdar://172721665
Reviewed by Charlie Wolfe.
A compromised web content process can send unsolicited DidReceiveEvent
IPC messages with remoteUserInputEventData set, causing the UI process
to call mouseEventQueue.first() on an empty deque. The MESSAGE_CHECK
that guards against an empty queue was only in the else branch, so
supplying remoteUserInputEventData bypassed it entirely.
This patch addresses the crash by hoisting the MESSAGE_CHECK above the
remoteUserInputEventData branch so it covers both paths. In the longer
term, we could just replace DidReceiveEvent with completion handlers,
which would categorically eliminate this kind of bug.
Test: ipc/remote-user-input-event-data-with-empty-event-deque.html
*
LayoutTests/ipc/remote-user-input-event-data-with-empty-event-deque-expected.txt:
Added.
* LayoutTests/ipc/remote-user-input-event-data-with-empty-event-deque.html:
Added.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::mouseEventHandlingCompleted):
Canonical link: https://commits.webkit.org/309473@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
