Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: acf3ca6f197b0b978b5ddf67ee5463f73d401e2f
https://github.com/WebKit/WebKit/commit/acf3ca6f197b0b978b5ddf67ee5463f73d401e2f
Author: David Kilzer <[email protected]>
Date: 2026-04-05 (Sun, 05 Apr 2026)
Changed paths:
M Source/WebCore/Modules/indexeddb/server/SQLiteIDBBackingStore.cpp
Log Message:
-----------
Crash due to nullptr deref in WebCore::SQLiteIDBBackingStore::openCursor()
via infoForObjectStore()
<https://bugs.webkit.org/show_bug.cgi?id=311493>
<rdar://168962352>
Reviewed by Sihui Liu.
Add nullptr checks for `infoForObjectStore()` return values in four
call sites that unconditionally dereference the result after only a
Debug `ASSERT()`. When `m_objectStoreMap` is empty (e.g., due to
database corruption or metadata migration failure),
`HashMap::find()` crashes because the compiler eliminates the
internal nullptr check on `m_table` through undefined behavior (UB)
propagation from the unconditional dereference after inlining.
* Source/WebCore/Modules/indexeddb/server/SQLiteIDBBackingStore.cpp:
(WebCore::IDBServer::SQLiteIDBBackingStore::getIndexRecord):
(WebCore::IDBServer::SQLiteIDBBackingStore::iterateCursor):
(WebCore::IDBServer::SQLiteIDBBackingStore::openCursor):
(WebCore::IDBServer::SQLiteIDBBackingStore::uncheckedGetIndexRecordForOneKey):
- Change to `openCursor()` fixes the crash. The rest are drive-by
fixes with the same pattern.
Canonical link: https://commits.webkit.org/310618@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
