Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: f0afe0e8864d8fe6d62424d80298398cd6a71e67
https://github.com/WebKit/WebKit/commit/f0afe0e8864d8fe6d62424d80298398cd6a71e67
Author: Chris Dumez <[email protected]>
Date: 2026-06-11 (Thu, 11 Jun 2026)
Changed paths:
M Source/WebKit/UIProcess/PDF/WKPDFPageNumberIndicator.mm
Log Message:
-----------
[PDF] WKPDFPageNumberIndicator should not capture originMoved by reference
https://bugs.webkit.org/show_bug.cgi?id=316748
Reviewed by Abrar Rahman Protyasha.
-[WKPDFPageNumberIndicator _moveToPoint:animated:completionHandler:] declared a
stack-local `originMoved` that was written by the synchronous `animations` block
and then read by the UIView animation `completion` block via a by-reference
capture. On the animated path, UIKit copies the completion block and invokes it
after the animation finishes, by which point this method's stack frame (and thus
`originMoved`) is gone, resulting in a use-after-free read.
The only in-tree caller passes animated:NO, so this is currently a latent bug,
but it would trigger as soon as the method is used with animated:YES.
Fix this by computing `originMoved` up front and capturing it by value. The
frame's origin does not change between method entry and when the `animations`
block runs, so this is equivalent to the previous computation.
* Source/WebKit/UIProcess/PDF/WKPDFPageNumberIndicator.mm:
(-[WKPDFPageNumberIndicator _moveToPoint:animated:completionHandler:]):
Compute originMoved before starting the animation and capture it by value in the
completion block rather than capturing the stack variable by reference. The
no-move case still honors the `animated` argument and funnels through
-animateWithDuration:... rather than returning early.
Canonical link: https://commits.webkit.org/315008@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
