Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: d4b40e10edf70074195fa76e9ffdc52962a3f04b
      
https://github.com/WebKit/WebKit/commit/d4b40e10edf70074195fa76e9ffdc52962a3f04b
  Author: Youenn Fablet <[email protected]>
  Date:   2026-07-03 (Fri, 03 Jul 2026)

  Changed paths:
    A 
LayoutTests/ipc/LocalSampleBufferDisplayLayer-flushAndRemoveImage-cross-thread-uaf-expected.txt
    A 
LayoutTests/ipc/LocalSampleBufferDisplayLayer-flushAndRemoveImage-cross-thread-uaf.html
    M LayoutTests/platform/glib/TestExpectations
    M 
Source/WebCore/platform/graphics/avfoundation/objc/LocalSampleBufferDisplayLayer.mm

  Log Message:
  -----------
  [WebKit] Cross-thread use-after-free in RemoteSampleBufferDisplayLayer via 
off-main layerErrorDidChange() from FlushAndRemoveImage @catch
rdar://176482856

Reviewed by Jean-Yves Avenard.

LocalSampleBufferDisplayLayer::flushAndRemoveImage() dispatches onto 
m_processingQueue,
and the @catch branch called layerErrorDidChange() directly on that background 
queue.
layerErrorDidChange() dereferences the non-thread-safe 
WeakPtr<SampleBufferDisplayLayerClient> m_client
and invokes virtual methods on its RemoteSampleBufferDisplayLayer client,
while RemoteSampleBufferDisplayLayerManager::releaseLayer() is dropping the 
last Ref on the main runloop.

Bounce the @catch handler to the main runloop via callOnMainThread so 
layerErrorDidChange() runs on the expected thread.

* 
LayoutTests/ipc/LocalSampleBufferDisplayLayer-flushAndRemoveImage-cross-thread-uaf-expected.txt:
 Added.

Patch mostly done by Simon Lewis.
* 
LayoutTests/ipc/LocalSampleBufferDisplayLayer-flushAndRemoveImage-cross-thread-uaf.html:
 Added.
* LayoutTests/platform/glib/TestExpectations:
* 
Source/WebCore/platform/graphics/avfoundation/objc/LocalSampleBufferDisplayLayer.mm:
(WebCore::LocalSampleBufferDisplayLayer::flushAndRemoveImage):
Hop to the main thread before calling layerErrorDidChange().

Originally-landed-as: 305413.884@safari-7624-branch (150ce323b07b). 
rdar://180437609
Canonical link: https://commits.webkit.org/316484@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to