Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d3dd4508f3f8e3dc7eee6377bdb7754a2a3c26fc
https://github.com/WebKit/WebKit/commit/d3dd4508f3f8e3dc7eee6377bdb7754a2a3c26fc
Author: Chris Dumez <[email protected]>
Date: 2026-06-10 (Wed, 10 Jun 2026)
Changed paths:
M
Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm
M
Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.cpp
Log Message:
-----------
WebAuthenticatorCoordinatorProxy fails to return after a released
WebPageProxy, causing a null deref and double reply
https://bugs.webkit.org/show_bug.cgi?id=316751
Reviewed by Pascoe.
makeCredential(), getAssertion(), and performRequestLegacy() each guard against
a
released m_webPageProxy by sending an error reply to the WebProcess, but they
neglected to return afterwards. Execution then fell through and dereferenced the
null webPageProxy (e.g. webPageProxy->webPageIDInMainFrameProcess(),
webPageProxy->pageClient()) and moved/invoked the already-consumed async reply
handler a second time, which is a use-after-consume of a sendWithAsyncReply
reply.
Add the missing return; so each path bails out after sending the error reply.
*
Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm:
*
Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.cpp:
(WebKit::WebAuthenticatorCoordinatorProxy::makeCredential):
(WebKit::WebAuthenticatorCoordinatorProxy::getAssertion):
Canonical link: https://commits.webkit.org/314959@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
