Branch: refs/heads/webkitglib/2.38
Home: https://github.com/WebKit/WebKit
Commit: e72817e76a462a0bfc9c1c5514c3f2f3479d10a7
https://github.com/WebKit/WebKit/commit/e72817e76a462a0bfc9c1c5514c3f2f3479d10a7
Author: Arunsundar Kannan <[email protected]>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
A LayoutTests/fast/forms/textfield-input-type-crash-onblur-expected.txt
A LayoutTests/fast/forms/textfield-input-type-crash-onblur.html
M Source/WebCore/html/HTMLInputElement.cpp
M Source/WebCore/html/HTMLOptionElement.cpp
M Source/WebCore/html/TextFieldInputType.cpp
Log Message:
-----------
Cherry-pick 252432.838@safari-7614-branch (665170902bfa).
https://bugs.webkit.org/show_bug.cgi?id=247389
UAF crash occurs during a style update when an older freed HTMLElement is
accessed
https://bugs.webkit.org/show_bug.cgi?id=247389
rdar://101420898
Reviewed by Ryosuke Niwa and Ryan Haddad.
* LayoutTests/fast/forms/textfield-input-type-crash-onblur-expected.txt:
Added.
* LayoutTests/fast/forms/textfield-input-type-crash-onblur.html: Added.
* Source/WebCore/html/HTMLInputElement.cpp:
(WebCore::HTMLInputElement::dataListMayHaveChanged):
* Source/WebCore/html/HTMLOptionElement.cpp:
(WebCore::HTMLOptionElement::childrenChanged):
* Source/WebCore/html/TextFieldInputType.cpp:
(WebCore::TextFieldInputType::createDataListDropdownIndicator):
(WebCore::TextFieldInputType::dataListMayHaveChanged):
Canonical link: https://commits.webkit.org/252432.838@safari-7614-branch
Commit: ee69ee950363d4ec41fbc397b841aa21c303eb59
https://github.com/WebKit/WebKit/commit/ee69ee950363d4ec41fbc397b841aa21c303eb59
Author: Chris Dumez <[email protected]>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
A LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash-expected.txt
A LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash.html
M Source/WebCore/dom/Document.cpp
Log Message:
-----------
Cherry-pick 252432.841@safari-7614-branch (a47510d4bcf4).
https://bugs.webkit.org/show_bug.cgi?id=248111
Fix potential crash under IntersectionObserver::disconnect()
https://bugs.webkit.org/show_bug.cgi?id=248111
rdar://100355921
Reviewed by Jonathan Bedard and Ryosuke Niwa.
Make sure we protect the intersection observers and resize observers before
calling disconnect() on them in Document::commonTeardown().
This is a speculative fix to address the crash in the radar, which I was
unable to reproduce.
* LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash-expected.txt:
Added.
* LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash.html: Added.
Include test from the radar, even though it didn't reproduce the issue for
me.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::commonTeardown):
Canonical link: https://commits.webkit.org/252432.841@safari-7614-branch
Commit: 2ee4be61cb23e858618fdc7c63b095e7635f6029
https://github.com/WebKit/WebKit/commit/2ee4be61cb23e858618fdc7c63b095e7635f6029
Author: Dan Glastonbury <[email protected]>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp
Log Message:
-----------
Cherry-pick 252432.896@safari-7614-branch (91df735c5c49). rdar://98583503
[WebGL] Harden texImageImpl byte length calculation
rdar://98583503
Reviewed by Kimmo Kinnunen and Ryan Haddad.
The calculation of the image size has been validated earlier but out of an
abundance of caution, use checked arithmetic on size_t to perform
calculation,
returning a GL error on overflow.
* Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::texImageImpl):
Calculate imagePixelsByteLength with checked arithmetic to catch integer
overflow.
Canonical link: https://commits.webkit.org/252432.896@safari-7614-branch
Commit: dfb14621447bf8d6f565cb8fac734ed9890e246e
https://github.com/WebKit/WebKit/commit/dfb14621447bf8d6f565cb8fac734ed9890e246e
Author: Alex Christensen <[email protected]>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M Source/WebKit/WebProcess/WebCoreSupport/SessionStateConversion.cpp
M Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardList.mm
Log Message:
-----------
Cherry-pick 252432.898@safari-7614-branch (57748248ae92).
https://bugs.webkit.org/show_bug.cgi?id=248664
Truncate title before adding to _WKSessionState
https://bugs.webkit.org/show_bug.cgi?id=248664
rdar://102444516
Reviewed by Chris Dumez, Mark Gee, and Jonathan Bedard.
Truncate the title to 1000 characters like we do everywhere else we send
the title from the web content process.
* Source/WebKit/WebProcess/WebCoreSupport/SessionStateConversion.cpp:
(WebKit::toBackForwardListItemState):
* Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardList.mm:
(TEST):
Canonical link: https://commits.webkit.org/252432.898@safari-7614-branch
Commit: 35ecde32dfff55d1afd332047651da077426fb95
https://github.com/WebKit/WebKit/commit/35ecde32dfff55d1afd332047651da077426fb95
Author: Claudio Saavedra <[email protected]>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
A
LayoutTests/http/tests/security/embedded-self-reference-after-url-modified-expected.txt
A
LayoutTests/http/tests/security/embedded-self-reference-after-url-modified.html
M Source/WebCore/html/HTMLFrameOwnerElement.cpp
Log Message:
-----------
Cherry-pick [email protected] (155bed739000).
https://bugs.webkit.org/show_bug.cgi?id=248469
HTMLFrameOwnerElement: use Document::creationURL() for self-reference check
https://bugs.webkit.org/show_bug.cgi?id=248469
Reviewed by Darin Adler.
Document::url() can be changed through the History API, therefore it's not
a reliable source to verify whether a given URL is self-referencing. Use
creationURL instead, which is immutable.
*
LayoutTests/http/tests/security/embedded-self-reference-after-url-modified-expected.txt:
Added.
*
LayoutTests/http/tests/security/embedded-self-reference-after-url-modified.html:
Added.
* Source/WebCore/html/HTMLFrameOwnerElement.cpp:
(WebCore::HTMLFrameOwnerElement::isProhibitedSelfReference const):
Canonical link: https://commits.webkit.org/[email protected]
Compare: https://github.com/WebKit/WebKit/compare/33fc68e77ae8...35ecde32dfff
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
