Bug 279221

Summary:	REGRESSION(276827@main): Possible null pointer dereferencing when an image frame finishes decoding while the document is getting closed
Product:	WebKit	Reporter:	Said Abou-Hallawa <sabouhallawa>
Component:	Images	Assignee:	Said Abou-Hallawa <sabouhallawa>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	sabouhallawa, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified
See Also:	https://bugs.webkit.org/show_bug.cgi?id=265363

Said Abou-Hallawa

Reported 2024-09-05 13:31:11 PDT

Before 276827@main, the image decoding thread was calling ImageSource::cachePlatformImageAtIndexAsync() on the main thread to cache the decoded frame. This function was making an early return if isDecoderAvailable() is not available. void ImageSource::cachePlatformImageAtIndexAsync(...) { if (!isDecoderAvailable()) return; ... } After 276827@main, the image decoding thread calls BitmapImageSource::imageFrameDecodeAtIndexHasFinished() which calls BitmapImageSource::cacheMetadataAtIndex(). This function assumes the decoder has to be available: void BitmapImageSource::cacheMetadataAtIndex(...) { ASSERT(m_decoder); ... } We need to restore the old check back to avoid null pointer dereferencing if the document is getting closed.

Attachments
Add attachment proposed patch, testcase, etc.

Said Abou-Hallawa

Comment 1 2024-09-05 13:31:34 PDT

rdar://133487516

Said Abou-Hallawa

Comment 2 2024-09-05 13:45:33 PDT

Pull request: https://github.com/WebKit/WebKit/pull/33207

EWS

Comment 3 2024-09-05 17:14:22 PDT

Committed 283241@main (926b6385eb9e): <https://commits.webkit.org/283241@main> Reviewed commits have been landed. Closing PR #33207 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.