Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 633fbf1eab41bddec1989aadbb319a65200f6633
https://github.com/WebKit/WebKit/commit/633fbf1eab41bddec1989aadbb319a65200f6633
Author: Andy Estes <aes...@apple.com>
Date: 2023-12-19 (Tue, 19 Dec 2023)
Changed paths:
A LayoutTests/fullscreen/fullscreen-cancel-after-request-crash-expected.txt
A LayoutTests/fullscreen/fullscreen-cancel-after-request-crash.html
M Source/WebCore/dom/FullscreenManager.cpp
Log Message:
-----------
Use-after-free in FullscreenManager::requestFullscreenForElement
https://bugs.webkit.org/show_bug.cgi?id=263140
rdar://116736343
Reviewed by Chris Dumez.
Calling DeferredPromise::reject from the failedPreflights lambda in
FullscreenManager::requestFullscreenForElement may cause the Document that owns
the
FullscreenManager to be deallocated, resulting in a use-after-free when the
document is accessed
again after rejecting the promise. Resolved this by keeping a Ref to m_document
for the lifetime of
the failedPreflights lambda.
Added a layout test.
* LayoutTests/fullscreen/fullscreen-cancel-after-request-crash-expected.txt:
Added.
* LayoutTests/fullscreen/fullscreen-cancel-after-request-crash.html: Added.
* Source/WebCore/dom/FullscreenManager.cpp:
(WebCore::FullscreenManager::requestFullscreenForElement):
Originally-landed-as: 267815.332@safari-7617-branch (dc44d44d42fd).
rdar://119594954
Canonical link: https://commits.webkit.org/272320@main
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
