Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6807acd8362be9bcaa4010dfd1dab6112735923b
https://github.com/WebKit/WebKit/commit/6807acd8362be9bcaa4010dfd1dab6112735923b
Author: Kristian Monsen <[email protected]>
Date: 2026-06-11 (Thu, 11 Jun 2026)
Changed paths:
M LayoutTests/ipc/coreipc.js
A LayoutTests/ipc/indexed-colorspace-null-inner-crash-expected.txt
A LayoutTests/ipc/indexed-colorspace-null-inner-crash.html
M Source/WebKit/Shared/cf/CoreIPCCGColorSpace.mm
Log Message:
-----------
CoreIPCCGColorSpace::toCF() crashes dereferencing null Box<> when decoding
IndexedColorSpace
https://bugs.webkit.org/show_bug.cgi?id=316892
rdar://178983712
Reviewed by Pascoe.
toCF() unconditionally dereferences the inner colorSpace Box via operator->,
which has a RELEASE_ASSERT(isValid()) that fires when the Box is null. A null
Box is a valid decoded state since ArgumentCoder<Box<T>> accepts a
false-encoded bool to
represent null. Adding the null check causes toCF() to return nullptr instead,
which propagates up through the existing null guard and the
DestinationColorSpace validator, cleanly rejecting the malformed message
without crashing.
Test: ipc/indexed-colorspace-null-inner-crash.html
* LayoutTests/ipc/coreipc.js:
(export.ArgumentSerializer):
* LayoutTests/ipc/indexed-colorspace-null-inner-crash-expected.txt: Added.
* LayoutTests/ipc/indexed-colorspace-null-inner-crash.html: Added.
* Source/WebKit/Shared/cf/CoreIPCCGColorSpace.mm:
(WebKit::CoreIPCCGColorSpace::toCF const):
Canonical link: https://commits.webkit.org/315048@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
