Summary: | [GTK][WPE] UI process crash in WebBackForwardList::restoreFromState | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Michael Catanzaro <mcatanzaro> | ||||||||||
Component: | WebKitGTK | Assignee: | Nobody <webkit-unassigned> | ||||||||||
Status: | RESOLVED FIXED | ||||||||||||
Severity: | Normal | CC: | achristensen, beidson, berto, bugs-noreply, buildbot, cgarcia, darin, gustavo, kling, mcatanzaro, sam, thorton | ||||||||||
Priority: | P2 | ||||||||||||
Version: | Other | ||||||||||||
Hardware: | PC | ||||||||||||
OS: | Linux | ||||||||||||
See Also: |
https://bugzilla.redhat.com/show_bug.cgi?id=1458818 https://bugzilla.gnome.org/show_bug.cgi?id=785557 |
||||||||||||
Attachments: |
|
Description
Michael Catanzaro
2017-09-03 07:24:02 PDT
Created attachment 319776 [details]
Backtrace from GNOME Bugzilla
This is tricky because the bug was actually when encoding the session state, but it's not easy to know why current index was encoded as 75 when the bf list had 5 items. It's easy to work around when decoding, and we should do it anyway, we don't want any malicious (or just corrupted) session state file to crash webkit. Created attachment 319845 [details]
Patch
This needs a WebKit2 owner approval Comment on attachment 319845 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=319845&action=review > Source/WebKit/ChangeLog:11 > + Ensure the current index provided by the session state is not out of actual item list bounds. This is a bug in > + the session state decoder, but WebBackForwardList::backForwardListState() is already doing the check and using > + the last item index instead, so it's not easy to know where the actual problem is. But in any case we should > + still protect the decoder. If this is a problem with session state decoding, we should fix it in session state decoding. I think this is the wrong place to add this check. Ok, I'll move the fix to the glib parser then. Created attachment 320109 [details]
Patch
Thanks for the patch. If this patch contains new public API please make sure it follows the guidelines for new WebKit2 GTK+ API. See http://trac.webkit.org/wiki/WebKitGTK/AddingNewWebKit2API Committed r221779: <http://trac.webkit.org/changeset/221779> |