Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 47d7e9d235aa78c4b524b58b9ffce1356c1efe62
https://github.com/WebKit/WebKit/commit/47d7e9d235aa78c4b524b58b9ffce1356c1efe62
Author: Jean-Yves Avenard <[email protected]>
Date: 2026-04-21 (Tue, 21 Apr 2026)
Changed paths:
A
LayoutTests/fast/webcodecs/resetting-audio-decoder-with-zero-size-crash-expected.txt
A
LayoutTests/fast/webcodecs/resetting-audio-decoder-with-zero-size-crash.html
M Source/WebCore/platform/audio/cocoa/AudioSampleBufferConverter.h
M Source/WebCore/platform/audio/cocoa/AudioSampleBufferConverter.mm
Log Message:
-----------
AudioDecoder Crash in CrashIfClientProvidedBogusAudioBufferList if
AudioConverterComplexInputDataProc returned an empty input
rdar://163644615
Reviewed by Youenn Fablet.
For supported audio codecs and for which zero-sized packets have no meaning
skip those packets altogether. See ISO/IEC 14496-12 8.7.3.1.
Added crash test.
*
LayoutTests/fast/webcodecs/resetting-audio-decoder-with-zero-size-crash-expected.txt:
Added.
* LayoutTests/fast/webcodecs/resetting-audio-decoder-with-zero-size-crash.html:
Added.
* Source/WebCore/platform/audio/cocoa/AudioSampleBufferConverter.h:
* Source/WebCore/platform/audio/cocoa/AudioSampleBufferConverter.mm:
(WebCore::AudioSampleBufferConverter::initAudioConverterForSourceFormatDescription):
(WebCore::AudioSampleBufferConverter::provideSourceDataNumOutputPackets):
Originally-landed-as: 305413.236@safari-7624-branch (0eff1a24d485).
rdar://173968844
Canonical link: https://commits.webkit.org/311704@main
Commit: 3cc1e137363f0cda090c9b7adcc56a557859b6a9
https://github.com/WebKit/WebKit/commit/3cc1e137363f0cda090c9b7adcc56a557859b6a9
Author: David Kilzer <[email protected]>
Date: 2026-04-21 (Tue, 21 Apr 2026)
Changed paths:
M Source/WebCore/platform/cocoa/RemoteCommandListenerCocoa.mm
Log Message:
-----------
Crash in WebCore::RemoteCommandListener::supportsSeeking()
<https://bugs.webkit.org/show_bug.cgi?id=306794>
<rdar://162768654>
Reviewed by Ryosuke Niwa.
The crash occurs when a `RemoteCommandListenerCocoa` object registers a
block with MediaRemote framework, the object is destroyed, but
MediaRemote retains the block and later executes it, accessing freed
memory.
The fix validates the `ThreadSafeWeakPtr weakThis` at the start of the
MediaRemote block and returns early if the object is destroyed. All
member access is changed to use the protected reference from the weak
pointer instead of direct calls like `supportsSeeking()`.
No new tests since this change is not directly testable.
* Source/WebCore/platform/cocoa/RemoteCommandListenerCocoa.mm:
(WebCore::RemoteCommandListenerCocoa::RemoteCommandListenerCocoa):
Originally-landed-as: 305413.238@safari-7624-branch (49ebebcc212b).
rdar://173968833
Canonical link: https://commits.webkit.org/311705@main
Commit: 460528ee4187f90f3aab5ede54fbf11052f2a4f3
https://github.com/WebKit/WebKit/commit/460528ee4187f90f3aab5ede54fbf11052f2a4f3
Author: Shu-yu Guo <[email protected]>
Date: 2026-04-21 (Tue, 21 Apr 2026)
Changed paths:
M Source/JavaScriptCore/dfg/DFGValueRepReductionPhase.cpp
Log Message:
-----------
[JSC] Escape MultiGetByOffset constants that aren't convertible to double
https://bugs.webkit.org/show_bug.cgi?id=306986
rdar://169245825
Reviewed by Yusuke Suzuki.
ValueRepReduction for doubles needs to eagerly convert constants in
MultiGetByoffset cases to doubles. This patch escapes MultiGetByOffset
constants that cannot be converted to doubles purely.
* Source/JavaScriptCore/dfg/DFGValueRepReductionPhase.cpp:
(JSC::DFG::ValueRepReductionPhase::convertValueRepsToUnboxed):
Originally-landed-as: 305413.251@safari-7624-branch (d2086e16a217).
rdar://173968823
Canonical link: https://commits.webkit.org/311706@main
Commit: 6aacf62000967a62dc5abf7ccf267b1bc115e38d
https://github.com/WebKit/WebKit/commit/6aacf62000967a62dc5abf7ccf267b1bc115e38d
Author: Zak Ridouh <[email protected]>
Date: 2026-04-21 (Tue, 21 Apr 2026)
Changed paths:
M Source/WebKit/GPUProcess/graphics/RemoteGraphicsContext.cpp
Log Message:
-----------
Copy the glyph buffer in RemoteGraphicsContext::drawGlyphs
<https://bugs.webkit.org/show_bug.cgi?id=308248>
<rdar://169563888>
Reviewed by Simon Fraser.
Copy the glyph buffer in RemoteGraphicsContext::drawGlyphs
Slight variant of Kimmo's patch, using inline vector capacity to attempt
clawing back some performance impact when copying the buffer.
No new tests.
* Source/WebKit/GPUProcess/graphics/RemoteGraphicsContext.cpp:
(WebKit::RemoteGraphicsContext::drawGlyphs):
Originally-landed-as: 305413.340@safari-7624-branch (035f36c175f9).
rdar://173968811
Canonical link: https://commits.webkit.org/311707@main
Commit: 69a8331a19dab4220d5ad4ffe669b0b5ce145c44
https://github.com/WebKit/WebKit/commit/69a8331a19dab4220d5ad4ffe669b0b5ce145c44
Author: Per Arne Vollan <[email protected]>
Date: 2026-04-21 (Tue, 21 Apr 2026)
Changed paths:
M Source/WebKit/Shared/mac/AuxiliaryProcessMac.mm
Log Message:
-----------
[macOS] WebKit processes can use incorrect sandbox profile by following
symlinks
https://bugs.webkit.org/show_bug.cgi?id=305199
rdar://166635947
Reviewed by Mike Wyrzykowski.
Prepend sandbox profile path with `/.nofollow` prefix to inform the system that
symlinks should not be followed.
* Source/WebKit/Shared/mac/AuxiliaryProcessMac.mm:
(WebKit::processStorageClass):
(WebKit::sandboxDirectory):
(WebKit::tryApplyCachedSandbox):
Originally-landed-as: 305413.32@safari-7624-branch (75c13008c3ff).
rdar://173968809
Canonical link: https://commits.webkit.org/311708@main
Compare: https://github.com/WebKit/WebKit/compare/f45de3a3d2a7...69a8331a19da
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
