Bug 217668

Summary: Null dereference in PDFPlugin::snapshot()
Product: WebKit Reporter: Julian Gonzalez <julian_a_gonzalez>
Component: PDFAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, rniwa
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Mac   
OS: Unspecified   
Attachments:
Description Flags
Crash log
none
Patch
none
Patch
none
Crash log
none
Crash log
none
Patch
none
Patch none

Julian Gonzalez
Reported 2020-10-13 14:15:52 PDT
Created attachment 411254 [details] Crash log In PDFPlugin::snapshot(), it's possible to dereference nullptr: RefPtr<ShareableBitmap> PDFPlugin::snapshot() { ... auto bitmap = ShareableBitmap::createShareable(backingStoreSize, { }); auto context = bitmap->createGraphicsContext(); if (!context) return nullptr; ... } bitmap here can be nullptr, so it must be checked before use. Attaching a crash log.
Attachments
Crash log (7.40 KB, text/plain)
2020-10-13 14:15 PDT, Julian Gonzalez 		no flags
Details
Patch (3.43 KB, patch)
2020-10-13 14:25 PDT, Julian Gonzalez 		no flags
DetailsFormatted DiffDiff
Patch (3.46 KB, patch)
2020-10-13 14:34 PDT, Julian Gonzalez 		no flags
DetailsFormatted DiffDiff
Crash log (5.83 KB, text/plain)
2020-10-13 14:41 PDT, Julian Gonzalez 		no flags
Details
Crash log (2.54 KB, text/plain)
2020-10-13 14:42 PDT, Julian Gonzalez 		no flags
Details
Patch (3.54 KB, patch)
2020-10-13 15:18 PDT, Julian Gonzalez 		no flags
DetailsFormatted DiffDiff
Patch (3.51 KB, patch)
2020-10-13 15:38 PDT, Julian Gonzalez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.
Julian Gonzalez
Comment 1 2020-10-13 14:25:57 PDT
Created attachment 411256 [details] Patch
Julian Gonzalez
Comment 2 2020-10-13 14:30:36 PDT
<rdar://problem/70173839>
Julian Gonzalez
Comment 3 2020-10-13 14:34:22 PDT
Created attachment 411257 [details] Patch
Julian Gonzalez
Comment 4 2020-10-13 14:41:53 PDT
Created attachment 411259 [details] Crash log
Julian Gonzalez
Comment 5 2020-10-13 14:42:24 PDT
Created attachment 411260 [details] Crash log
Julian Gonzalez
Comment 6 2020-10-13 15:18:46 PDT
Created attachment 411267 [details] Patch
Ryosuke Niwa
Comment 7 2020-10-13 15:23:44 PDT
Comment on attachment 411267 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=411267&action=review > LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:4 > +/*begincss*/ This comment is useless. Please remove it. > LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:5 > +:not(glyphRef) { zoom: 61; } Do we really need it? If we do, I presume we only need it on body or embed so I'd suggest either one of: embed { zoom: 61; } body { zoom: 61; } embed, body { zoom: 61; } > LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:6 > +/*endcss*/ Ditto.
Ryosuke Niwa
Comment 8 2020-10-13 15:24:06 PDT
Comment on attachment 411267 [details] Patch cq- because I'd like to see the test case being improved.
Julian Gonzalez
Comment 9 2020-10-13 15:25:21 PDT
(In reply to Ryosuke Niwa from comment #7) > Comment on attachment 411267 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=411267&action=review > > > LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:4 > > +/*begincss*/ > > This comment is useless. Please remove it. > Will do. > > LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:5 > > +:not(glyphRef) { zoom: 61; } > > Do we really need it? > If we do, I presume we only need it on body or embed so I'd suggest either > one of: > embed { zoom: 61; } > body { zoom: 61; } > embed, body { zoom: 61; } > We do, unfortunately. I'll try the suggestions. > > LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:6 > > +/*endcss*/ > > Ditto. Ditto the ditto.
Julian Gonzalez
Comment 10 2020-10-13 15:38:32 PDT
Created attachment 411271 [details] Patch
EWS
Comment 11 2020-10-13 16:28:05 PDT
Committed r268432: <https://trac.webkit.org/changeset/268432> All reviewed patches have been landed. Closing bug and clearing flags on attachment 411271 [details].
Note You need to log in before you can comment on or make changes to this bug.