[webkit-changes] [WebKit/WebKit] 5e2fbf: jsc_fuz/wktr: heap-use-after-free in WebCore::IDBS...

Tue, 19 Dec 2023 17:27:31 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 5e2fbff61ae90daff246d581be165947505b2d10
      
https://github.com/WebKit/WebKit/commit/5e2fbff61ae90daff246d581be165947505b2d10
  Author: Nisha Jain <nisha_j...@apple.com>
  Date:   2023-12-19 (Tue, 19 Dec 2023)

  Changed paths:
    A LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt
    A LayoutTests/storage/indexeddb/abort-index-rename-crash.html
    M Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp
    M Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp
    M Source/WebCore/Modules/indexeddb/server/MemoryIndex.h
    M Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp
    M Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h

  Log Message:
  -----------
  jsc_fuz/wktr: heap-use-after-free in 
WebCore::IDBServer::MemoryObjectStore::takeIndexByIdentifier(unsigned long 
long) MemoryObjectStore.cpp:128.
https://bugs.webkit.org/show_bug.cgi?id=264180.
rdar://117463447.

Reviewed by Sihui Liu.

MemoryIndex now keeps WeakPtr to MemoryObjectStore 'm_objectStore' and checks 
it's validity before using it. Also RefPtr conversion from WekPtr using get() 
API as applicable.

* LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt: Added 
the test expected file.
* LayoutTests/storage/indexeddb/abort-index-rename-crash.html: Added the test 
case.
* Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp: 
Checks the validity of MemoryObjectStore pointer before using.
(WebCore::IDBServer::MemoryBackingStoreTransaction::objectStoreDeleted):
(WebCore::IDBServer::MemoryBackingStoreTransaction::indexRenamed):
(WebCore::IDBServer::MemoryBackingStoreTransaction::abort):
* Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp: Changed direct 
reference to WeakPtr. Also used RefPtr conversion using get() API as applicable.
(WebCore::IDBServer::MemoryIndex::objectStoreCleared):
(WebCore::IDBServer::MemoryIndex::clearIndexValueStore):
(WebCore::IDBServer::MemoryIndex::replaceIndexValueStore):
(WebCore::IDBServer::MemoryIndex::getResultForKeyRange const):
(WebCore::IDBServer::MemoryIndex::getAllRecords const):
* Source/WebCore/Modules/indexeddb/server/MemoryIndex.h: Changed direct 
reference to WeakPtr.
(WebCore::IDBServer::MemoryIndex::objectStore):
* Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp: Used RefPtr 
conversion using get() API for MemoryIndex based MemoryObjectStore object.
(WebCore::IDBServer::MemoryIndexCursor::currentData):
* Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h:

Originally-landed-as: 267815.545@safari-7617-branch (64bcd93cbc55). 
rdar://119599034
Canonical link: https://commits.webkit.org/272317@main


_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to