Bug 284408

Summary: OOB crash under WebKit::dataProviderGetBytesAtPositionCallback during off-main-thread incremental PDF loading
Product: WebKit Reporter: Abrar Rahman Protyasha <a_protyasha>
Component: PDFAssignee: Jonathan Bedard <jbedard>
Status: RESOLVED FIXED    
Severity: Normal CC: a_protyasha, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Abrar Rahman Protyasha
Reported 2024-12-10 14:30:53 PST
rdar://131110151
Attachments
Add attachment proposed patch, testcase, etc.
Abrar Rahman Protyasha
Comment 1 2024-12-10 14:34:03 PST
Representative crash: ``` Thread 4 Crashed:: Dispatch queue: LinearizedPagePreload 0 _platform_memmove + 96 1 void WTF::memcpySpan<unsigned char, 18446744073709551615ul, unsigned char const, 18446744073709551615ul>(std::__1::span<unsigned char, 18446744073709551615ul>, std::__1::span<unsigned char const, 18446744073709551615ul>) + 16 2 WebKit::PDFIncrementalLoader::dataProviderGetBytesAtPosition(std::__1::span<unsigned char, 18446744073709551615ul>, long long) + 52 3 WebKit::dataProviderGetBytesAtPositionCallback(void*, void*, long long, unsigned long) + 308 4 provider_get_bytes_at_position + 84 5 CGDataProviderDirectGetBytesAtPositionInternal + 308 ``` My current leading hypothesis is that the source buffer for the memcpy is nulled out before using it but after fetching it from the plugin. We should guard this work behind the data lock used for the buffer, too.
Abrar Rahman Protyasha
Comment 2 2024-12-10 15:04:01 PST
Pull request: https://github.com/apple/WebKit/pull/2388
EWS
Comment 3 2024-12-11 00:01:45 PST
Committed 283286.578@safari-7620-branch (de6e83ab1f4d): <https://commits.webkit.org/283286.578@safari-7620-branch> Reviewed commits have been landed. Closing PR #2388 and removing active labels.
Jonathan Bedard
Comment 4 2024-12-16 07:59:08 PST
<rdar://problem/141548517>
Jonathan Bedard
Comment 5 2024-12-16 08:04:00 PST
Re-opening for pull request https://github.com/apple/WebKit/pull/2406
EWS
Comment 6 2024-12-16 09:15:32 PST
Committed 283286.595@safari-7620-branch (0053acf9bc55): <https://commits.webkit.org/283286.595@safari-7620-branch> Reviewed commits have been landed. Closing PR #2406 and removing active labels.
Robert Jenner
Comment 7 2025-01-29 12:21:31 PST
<rdar://problem/143592990>
EWS
Comment 8 2025-01-31 17:14:49 PST
Committed 289647@main (1c283c67a9c0): <https://commits.webkit.org/289647@main> Reviewed commits have been landed. Closing PR #39706 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.