Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: cfe38930db92bdf1fecc71b3c014c861bf4033df
https://github.com/WebKit/WebKit/commit/cfe38930db92bdf1fecc71b3c014c861bf4033df
Author: Basuke Suzuki <bas...@apple.com>
Date: 2024-10-31 (Thu, 31 Oct 2024)
Changed paths:
A
LayoutTests/js/structuredClone/structured-clone-of-ResizableSharedArrayBuffer-expected.txt
A
LayoutTests/js/structuredClone/structured-clone-of-ResizableSharedArrayBuffer.html
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Race condition in CloneSerializer::dumpIfTerminal allows for injecting
arbitrary deserialization data
https://bugs.webkit.org/show_bug.cgi?id=278657
rdar://132388209
Reviewed by Chris Dumez and Geoffrey Garen.
Fix the exploit by using consistent byteLength fetched from the array buffer.
This is part 1 of security fix. In part 2, we'll introduce a new write method
for std::span and consistently use that in all cases of std::span<const
uint8_t>. This requires for changing the byte format and need more code.
*
LayoutTests/js/structuredClone/structured-clone-of-ResizableSharedArrayBuffer-expected.txt:
Added.
*
LayoutTests/js/structuredClone/structured-clone-of-ResizableSharedArrayBuffer.html:
Added.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::dumpIfTerminal):
(WebCore::CloneSerializer::writeResizableArrayBuffer):
Originally-landed-as: 280938.277@safari-7619-branch (22e102ecb215).
rdar://138933194
Canonical link: https://commits.webkit.org/285959@main
Commit: aaa488b390797c343e905ba494ba8a7592e96b3e
https://github.com/WebKit/WebKit/commit/aaa488b390797c343e905ba494ba8a7592e96b3e
Author: Youenn Fablet <you...@apple.com>
Date: 2024-10-31 (Thu, 31 Oct 2024)
Changed paths:
M
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_ratectrl.c
Log Message:
-----------
Cherry-pick libvpx 634e1f8fb196f0e04c0dceae7043e8a12a0d31f9
rdar://133438454
Reviewed by Brent Fulgham.
We cherry-pick this overflow change after resolving a small conflict.
*
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_ratectrl.c:
(vp9_calc_iframe_target_size_one_pass_cbr):
Originally-landed-as: 280938.279@safari-7619-branch (e52aabe54a9b).
rdar://138933397
Canonical link: https://commits.webkit.org/285960@main
Commit: 8b4839b1659b79ac1713978a9a94b24340a64935
https://github.com/WebKit/WebKit/commit/8b4839b1659b79ac1713978a9a94b24340a64935
Author: Kiet Ho <th...@apple.com>
Date: 2024-10-31 (Thu, 31 Oct 2024)
Changed paths:
A
LayoutTests/compositing/tiling/crash-when-unapplying-mask-border-expected.txt
A LayoutTests/compositing/tiling/crash-when-unapplying-mask-border.html
M Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp
Log Message:
-----------
GraphicsLayerCA: when changing layer type, disown the old layer after copying
to new layer
rdar://132717696
https://bugs.webkit.org/show_bug.cgi?id=278567
Reviewed by Simon Fraser.
In GraphicsLayerCA::changeLayerTypeTo, after copying from the current (old)
layer to the new layer, we neglect to set the owner of the old layer to nullptr.
Even if the owner (a GraphicsLayerCA) later gets destroyed, the old layer still
keeps a
reference to the dead owner, and accessing the owner leads to a use-after-free.
Fix this by setting the owner of the old layer to nullptr, once we've done
using it.
*
LayoutTests/compositing/tiling/crash-when-unapplying-mask-border-expected.txt:
Added.
* LayoutTests/compositing/tiling/crash-when-unapplying-mask-border.html: Added.
* Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp:
(WebCore::GraphicsLayerCA::changeLayerTypeTo):
Originally-landed-as: 280938.281@safari-7619-branch (294250ca449f).
rdar://138933594
Canonical link: https://commits.webkit.org/285961@main
Commit: 4729b99658a7b2befac1a317971bee4d0bc16066
https://github.com/WebKit/WebKit/commit/4729b99658a7b2befac1a317971bee4d0bc16066
Author: Nitin Mahendru <nitinmahen...@apple.com>
Date: 2024-10-31 (Thu, 31 Oct 2024)
Changed paths:
A
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-ping-allowed-expected.txt
A
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-ping-allowed.html
A
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-ping-blocked-expected.txt
A
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-ping-blocked.html
A
LayoutTests/http/tests/security/contentSecurityPolicy/resources/sample.html
M Source/WebCore/loader/PingLoader.cpp
Log Message:
-----------
Honor the connect-src value for <a ping="">
https://bugs.webkit.org/show_bug.cgi?id=278765
rdar://131054895
Reviewed by Chris Dumez.
At the moment, even though connect-src is set to one origin, cross origin pings
originating from the ping attribute of HTMLAnchorElement are not blocked. They
should be.
This adds that check using CSP and adds a +/- tests to validate the same.
*
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-ping-allowed-expected.txt:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-ping-allowed.html:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-ping-blocked-expected.txt:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-ping-blocked.html:
Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/resources/sample.html:
Added.
* Source/WebCore/loader/PingLoader.cpp:
(WebCore::PingLoader::sendPing):
Originally-landed-as: 280938.286@safari-7619-branch (03fe2d2f0fa8).
rdar://138934062
Canonical link: https://commits.webkit.org/285962@main
Commit: 11494e67729152123b351f836d98b94eb6f8bd65
https://github.com/WebKit/WebKit/commit/11494e67729152123b351f836d98b94eb6f8bd65
Author: Matthew Finkel <m_fin...@apple.com>
Date: 2024-10-31 (Thu, 31 Oct 2024)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Improve matching webarchive file extension when loading in ephemeral datastore
https://bugs.webkit.org/show_bug.cgi?id=279226
rdar://135302982
Reviewed by Darin Adler.
This change ensures we only look at the file path instead of the entire URL
string.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::receivedNavigationActionPolicyDecision):
Originally-landed-as: 280938.309@safari-7619-branch (61f89b532694).
rdar://138934659
Canonical link: https://commits.webkit.org/285963@main
Compare: https://github.com/WebKit/WebKit/compare/6595fcf60a8d...11494e677291
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
