Bug 217668

Summary: Null dereference in PDFPlugin::snapshot()
Product: WebKit Reporter: Julian Gonzalez <julian_a_gonzalez>
Component: PDFAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, rniwa
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Mac   
OS: Unspecified   
Attachments:
Description Flags
Crash log
none
Patch
none
Patch
none
Crash log
none
Crash log
none
Patch
none
Patch none

Description Julian Gonzalez 2020-10-13 14:15:52 PDT 
Created attachment 411254 [details]
Crash log

In PDFPlugin::snapshot(), it's possible to dereference nullptr:

RefPtr<ShareableBitmap> PDFPlugin::snapshot()
{
...
    auto bitmap = ShareableBitmap::createShareable(backingStoreSize, { });
    auto context = bitmap->createGraphicsContext();
    if (!context)
        return nullptr;
...
}

bitmap here can be nullptr, so it must be checked before use.
Attaching a crash log.
Comment 1 Julian Gonzalez 2020-10-13 14:25:57 PDT 
Created attachment 411256 [details]
Patch
Comment 2 Julian Gonzalez 2020-10-13 14:30:36 PDT 
<rdar://problem/70173839>
Comment 3 Julian Gonzalez 2020-10-13 14:34:22 PDT 
Created attachment 411257 [details]
Patch
Comment 4 Julian Gonzalez 2020-10-13 14:41:53 PDT 
Created attachment 411259 [details]
Crash log
Comment 5 Julian Gonzalez 2020-10-13 14:42:24 PDT 
Created attachment 411260 [details]
Crash log
Comment 6 Julian Gonzalez 2020-10-13 15:18:46 PDT 
Created attachment 411267 [details]
Patch
Comment 7 Ryosuke Niwa 2020-10-13 15:23:44 PDT 
Comment on attachment 411267 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=411267&action=review

> LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:4
> +/*begincss*/

This comment is useless. Please remove it.

> LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:5
> +:not(glyphRef) { zoom: 61; }

Do we really need it?
If we do, I presume we only need it on body or embed so I'd suggest either one of:
embed { zoom: 61; }
body { zoom: 61; }
embed, body { zoom: 61; }

> LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:6
> +/*endcss*/

Ditto.
Comment 8 Ryosuke Niwa 2020-10-13 15:24:06 PDT 
Comment on attachment 411267 [details]
Patch

cq- because I'd like to see the test case being improved.
Comment 9 Julian Gonzalez 2020-10-13 15:25:21 PDT 
(In reply to Ryosuke Niwa from comment #7)
> Comment on attachment 411267 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=411267&action=review
> 
> > LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:4
> > +/*begincss*/
> 
> This comment is useless. Please remove it.
> 

Will do.

> > LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:5
> > +:not(glyphRef) { zoom: 61; }
> 
> Do we really need it?
> If we do, I presume we only need it on body or embed so I'd suggest either
> one of:
> embed { zoom: 61; }
> body { zoom: 61; }
> embed, body { zoom: 61; }
> 

We do, unfortunately. I'll try the suggestions.

> > LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:6
> > +/*endcss*/
> 
> Ditto.

Ditto the ditto.
Comment 10 Julian Gonzalez 2020-10-13 15:38:32 PDT 
Created attachment 411271 [details]
Patch
Comment 11 EWS 2020-10-13 16:28:05 PDT 
Committed r268432: <https://trac.webkit.org/changeset/268432>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 411271 [details].