237187 – (CVE-2022-30293) heap-buffer-overflow in WebCore::TextureMapperLayer::setContentsLayer(WebCore::TextureMapperPlatformLayer*)

RESOLVED FIXED Bug 237187

CVE-2022-30293 heap-buffer-overflow in WebCore::TextureMapperLayer::setContentsLayer(WebCore::TextureMapperPlatformLayer*)

https://bugs.webkit.org/show_bug.cgi?id=237187

Summary heap-buffer-overflow in WebCore::TextureMapperLayer::setContentsLayer(WebCore...

Chijin

Reported 2022-02-25 00:19:28 PST

Created attachment 453180 [details] This file is generated by a browser fuzzer The attached file cause a heap buffer overflow in setContentsLayer(). Version: safari-613.1.5-branch (4f329ebf4c7cb23791f7634fe9b917b20dc2e5a6) and webkitgtk-2.34.6 asan report: ==16712==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b0000d4ab8 at pc 0x7f79a33b83ff bp 0x7ffde8451be0 sp 0x7ffde8451bd8 WRITE of size 8 at 0x61b0000d4ab8 thread T0 #0 0x7f79a33b83fe in WebCore::TextureMapperLayer::setContentsLayer(WebCore::TextureMapperPlatformLayer*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:702:21 #1 0x7f79a33d29aa in WebCore::TextureMapperPlatformLayerProxy::~TextureMapperPlatformLayerProxy() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxy.cpp:56:24 #2 0x7f79a33d2ed8 in WebCore::TextureMapperPlatformLayerProxy::~TextureMapperPlatformLayerProxy() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxy.cpp:53:1 #3 0x7f79a3410b9f in WTF::ThreadSafeRefCounted<WebCore::TextureMapperPlatformLayerProxy, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ThreadSafeRefCounted.h:117:13 #4 0x7f79a3410b9f in WTF::ThreadSafeRefCounted<WebCore::TextureMapperPlatformLayerProxy, (WTF::DestructionThread)0>::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ThreadSafeRefCounted.h:129:9 #5 0x7f79a3410b9f in WTF::Ref<WebCore::TextureMapperPlatformLayerProxy, WTF::RawPtrTraits<WebCore::TextureMapperPlatformLayerProxy> >::~Ref() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/Ref.h:61:18 #6 0x7f79a3410b9f in Nicosia::ContentLayerTextureMapperImpl::~ContentLayerTextureMapperImpl() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/texmap/NicosiaContentLayerTextureMapperImpl.cpp:58:1 #7 0x7f79a3410c48 in Nicosia::ContentLayerTextureMapperImpl::~ContentLayerTextureMapperImpl() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/texmap/NicosiaContentLayerTextureMapperImpl.cpp:53:1 #8 0x7f79a34061ab in std::default_delete<Nicosia::ContentLayer::Impl>::operator()(Nicosia::ContentLayer::Impl*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #9 0x7f79a34061ab in std::unique_ptr<Nicosia::ContentLayer::Impl, std::default_delete<Nicosia::ContentLayer::Impl> >::~unique_ptr() /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:292:4 #10 0x7f79a34061ab in Nicosia::ContentLayer::~ContentLayer() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/NicosiaPlatformLayer.cpp:58:29 #11 0x7f79a3406388 in Nicosia::ContentLayer::~ContentLayer() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/NicosiaPlatformLayer.cpp:58:29 #12 0x7f79a9447ea2 in WTF::ThreadSafeRefCounted<Nicosia::PlatformLayer, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ThreadSafeRefCounted.h:117:13 #13 0x7f79a9447ea2 in WTF::ThreadSafeRefCounted<Nicosia::PlatformLayer, (WTF::DestructionThread)0>::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ThreadSafeRefCounted.h:129:9 #14 0x7f79a9447ea2 in WTF::Ref<Nicosia::ContentLayer, WTF::RawPtrTraits<Nicosia::ContentLayer> >::~Ref() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/Ref.h:61:18 #15 0x7f79a9447ea2 in Nicosia::GCGLLayer::~GCGLLayer() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/texmap/NicosiaGCGLLayer.cpp:60:1 #16 0x7f79a9447fa8 in Nicosia::GCGLLayer::~GCGLLayer() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/texmap/NicosiaGCGLLayer.cpp:58:1 #17 0x7f79a94201f2 in std::default_delete<Nicosia::GCGLLayer>::operator()(Nicosia::GCGLLayer*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #18 0x7f79a94201f2 in std::unique_ptr<Nicosia::GCGLLayer, std::default_delete<Nicosia::GCGLLayer> >::~unique_ptr() /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:292:4 #19 0x7f79a94201f2 in WebCore::GraphicsContextGLOpenGL::~GraphicsContextGLOpenGL() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/GraphicsContextGLTextureMapper.cpp:386:1 #20 0x7f79a9420918 in WebCore::GraphicsContextGLOpenGL::~GraphicsContextGLOpenGL() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/GraphicsContextGLTextureMapper.cpp:348:1 #21 0x7f79a6a9d7be in std::default_delete<WebCore::GraphicsContextGL>::operator()(WebCore::GraphicsContextGL*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #22 0x7f79a6a9d7be in WTF::RefCounted<WebCore::GraphicsContextGL, std::default_delete<WebCore::GraphicsContextGL> >::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefCounted.h:190:13 #23 0x7f79a6a9d7be in WTF::DefaultRefDerefTraits<WebCore::GraphicsContextGL>::derefIfNotNull(WebCore::GraphicsContextGL*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:42:18 #24 0x7f79a6a9d7be in WTF::RefPtr<WebCore::GraphicsContextGL, WTF::RawPtrTraits<WebCore::GraphicsContextGL>, WTF::DefaultRefDerefTraits<WebCore::GraphicsContextGL> >::operator=(std::nullptr_t) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:159:5 #25 0x7f79a6a9d7be in WebCore::WebGLRenderingContextBase::destroyGraphicsContextGL() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:1199:19 #26 0x7f79a6ae593a in WebCore::WebGLRenderingContextBase::~WebGLRenderingContextBase() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:1174:9 #27 0x7f79a6afbe1f in WebCore::WebGLRenderingContext::~WebGLRenderingContext() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/canvas/WebGLRenderingContext.h:35:7 #28 0x7f79a6afbe1f in non-virtual thunk to WebCore::WebGLRenderingContext::~WebGLRenderingContext() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/canvas/WebGLRenderingContext.h #29 0x7f79a65cbef4 in std::default_delete<WebCore::CanvasRenderingContext>::operator()(WebCore::CanvasRenderingContext*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #30 0x7f79a65cbef4 in std::unique_ptr<WebCore::CanvasRenderingContext, std::default_delete<WebCore::CanvasRenderingContext> >::reset(WebCore::CanvasRenderingContext*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4 #31 0x7f79a65cbef4 in std::unique_ptr<WebCore::CanvasRenderingContext, std::default_delete<WebCore::CanvasRenderingContext> >::operator=(std::nullptr_t) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:336:2 #32 0x7f79a65cbef4 in WebCore::HTMLCanvasElement::~HTMLCanvasElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLCanvasElement.cpp:148:15 #33 0x7f79a65cc668 in WebCore::HTMLCanvasElement::~HTMLCanvasElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLCanvasElement.cpp:141:1 #34 0x7f79a5db5577 in WebCore::Node::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/Node.h:804:34 #35 0x7f79a5db5577 in WTF::DefaultRefDerefTraits<WebCore::Node>::derefIfNotNull(WebCore::Node*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:42:18 #36 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::~RefPtr() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:73:31 #37 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::operator=(WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> > const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:137:1 #38 0x7f79a5db5577 in WebCore::addChildNodesToDeletionQueue(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:186:65 #39 0x7f79a5d9b84e in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:225:5 #40 0x7f79a5d9b84e in WebCore::ContainerNode::removeDetachedChildren() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:282:5 #41 0x7f79a5d9d665 in WebCore::ContainerNode::~ContainerNode() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:316:5 #42 0x7f79a65c6518 in WebCore::HTMLBodyElement::~HTMLBodyElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLBodyElement.cpp:64:35 #43 0x7f79a65c6518 in WebCore::HTMLBodyElement::~HTMLBodyElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLBodyElement.cpp:64:35 #44 0x7f79a5db5577 in WebCore::Node::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/Node.h:804:34 #45 0x7f79a5db5577 in WTF::DefaultRefDerefTraits<WebCore::Node>::derefIfNotNull(WebCore::Node*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:42:18 #46 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::~RefPtr() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:73:31 #47 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::operator=(WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> > const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:137:1 #48 0x7f79a5db5577 in WebCore::addChildNodesToDeletionQueue(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:186:65 #49 0x7f79a5d9b84e in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:225:5 #50 0x7f79a5d9b84e in WebCore::ContainerNode::removeDetachedChildren() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:282:5 #51 0x7f79a5d9d665 in WebCore::ContainerNode::~ContainerNode() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:316:5 #52 0x7f79a666d2d8 in WebCore::HTMLHtmlElement::~HTMLHtmlElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLHtmlElement.h:30:7 #53 0x7f79a5db5577 in WebCore::Node::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/Node.h:804:34 #54 0x7f79a5db5577 in WTF::DefaultRefDerefTraits<WebCore::Node>::derefIfNotNull(WebCore::Node*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:42:18 #55 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::~RefPtr() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:73:31 #56 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::operator=(WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> > const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:137:1 #57 0x7f79a5db5577 in WebCore::addChildNodesToDeletionQueue(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:186:65 #58 0x7f79a5d9b84e in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:225:5 #59 0x7f79a5d9b84e in WebCore::ContainerNode::removeDetachedChildren() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:282:5 #60 0x7f79a5d9d665 in WebCore::ContainerNode::~ContainerNode() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:316:5 #61 0x7f79a65c6518 in WebCore::HTMLBodyElement::~HTMLBodyElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLBodyElement.cpp:64:35 #62 0x7f79a65c6518 in WebCore::HTMLBodyElement::~HTMLBodyElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLBodyElement.cpp:64:35 #63 0x7f79a5db5577 in WebCore::Node::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/Node.h:804:34 #64 0x7f79a5db5577 in WTF::DefaultRefDerefTraits<WebCore::Node>::derefIfNotNull(WebCore::Node*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:42:18 #65 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::~RefPtr() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:73:31 #66 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::operator=(WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> > const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:137:1 #67 0x7f79a5db5577 in WebCore::addChildNodesToDeletionQueue(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:186:65 #68 0x7f79a5d9b84e in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:225:5 #69 0x7f79a5d9b84e in WebCore::ContainerNode::removeDetachedChildren() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:282:5 #70 0x7f79a5d9d665 in WebCore::ContainerNode::~ContainerNode() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:316:5 #71 0x7f79a666d2d8 in WebCore::HTMLHtmlElement::~HTMLHtmlElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLHtmlElement.h:30:7 #72 0x7f79a5db5577 in WebCore::Node::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/Node.h:804:34 #73 0x7f79a5db5577 in WTF::DefaultRefDerefTraits<WebCore::Node>::derefIfNotNull(WebCore::Node*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:42:18 #74 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::~RefPtr() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:73:31 #75 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::operator=(WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> > const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:137:1 #76 0x7f79a5db5577 in WebCore::addChildNodesToDeletionQueue(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:186:65 #77 0x7f79a5d9b84e in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:225:5 #78 0x7f79a5d9b84e in WebCore::ContainerNode::removeDetachedChildren() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:282:5 #79 0x7f79a5e19b07 in WebCore::Document::removedLastRef() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/Document.cpp:822:9 #80 0x7f79a65daabc in WebCore::Node::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/Node.h:804:34 #81 0x7f79a65daabc in WTF::Ref<WebCore::ContainerNode, WTF::RawPtrTraits<WebCore::ContainerNode> >::~Ref() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/Ref.h:61:18 #82 0x7f79a65daabc in WebCore::HTMLCollection::~HTMLCollection() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLCollection.cpp:143:1 #83 0x7f79a5f02a59 in WebCore::CachedHTMLCollection<WebCore::GenericCachedHTMLCollection<(WebCore::CollectionTraversalType)0>, (WebCore::CollectionTraversalType)0>::~CachedHTMLCollection() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/CachedHTMLCollection.h:85:1 #84 0x7f79a5f02b78 in WebCore::GenericCachedHTMLCollection<(WebCore::CollectionTraversalType)0>::~GenericCachedHTMLCollection() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/GenericCachedHTMLCollection.h:33:7 #85 0x7f799df2bd84 in JSC::JSDestructibleObjectDestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp:38:9 #86 0x7f799df2bd84 in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(void*)::operator()(void*) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/MarkedBlockInlines.h:260:13 #87 0x7f799df2bd84 in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/MarkedBlockInlines.h:294:17 #88 0x7f799df265d1 in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/MarkedBlockInlines.h:403:21 #89 0x7f799df16158 in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/MarkedBlockInlines.h:435:9 #90 0x7f799df049b8 in JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp:53:12 #91 0x7f799cdb19d9 in JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/MarkedBlock.cpp:415:21 #92 0x7f799cd9d31f in JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/LocalAllocator.cpp:225:12 #93 0x7f799cd9d0fa in JSC::LocalAllocator::tryAllocateWithoutCollecting() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/LocalAllocator.cpp:191:28 #94 0x7f799cd9c662 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/LocalAllocator.cpp:132:20 #95 0x7f79a53ee008 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()::operator()() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/JavaScriptCore/PrivateHeaders/JavaScriptCore/LocalAllocatorInlines.h:40:43 #96 0x7f79a53ee008 in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'() const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/JavaScriptCore/PrivateHeaders/JavaScriptCore/FreeListInlines.h:46:16 #97 0x7f79a53ee008 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/JavaScriptCore/PrivateHeaders/JavaScriptCore/LocalAllocatorInlines.h:37:23 #98 0x7f79a53ee008 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/JavaScriptCore/PrivateHeaders/JavaScriptCore/AllocatorInlines.h:35:30 #99 0x7f79a53ee008 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/JavaScriptCore/PrivateHeaders/JavaScriptCore/IsoSubspaceInlines.h:34:30 #100 0x7f79a53ee008 in void* JSC::tryAllocateCellHelper<WebCore::JSHTMLCollection>(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/JavaScriptCore/PrivateHeaders/JavaScriptCore/JSCellInlines.h:180:63 #101 0x7f79a53ee008 in void* JSC::allocateCell<WebCore::JSHTMLCollection>(JSC::Heap&, unsigned long) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/JavaScriptCore/PrivateHeaders/JavaScriptCore/JSCellInlines.h:194:12 #102 0x7f79a53e97f3 in WebCore::JSHTMLCollection::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraits<WebCore::HTMLCollection> >&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WebCore/DerivedSources/JSHTMLCollection.h:34:47 #103 0x7f79a53e97f3 in std::enable_if<std::is_same<WebCore::HTMLCollection, WebCore::HTMLCollection>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLCollection>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLCollection, WebCore::HTMLCollection>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraits<WebCore::HTMLCollection> >&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMWrapperCache.h:190:21 #104 0x7f79a53e9caa in WebCore::toJSNewlyCreated(JSC::JSGlobalObject*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraits<WebCore::HTMLCollection> >&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSHTMLCollectionCustom.cpp:45:12 #105 0x7f79a53e9caa in JSC::JSValue WebCore::wrap<WebCore::HTMLCollection>(JSC::JSGlobalObject*, WebCore::JSDOMGlobalObject*, WebCore::HTMLCollection&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMWrapperCache.h:204:12 #106 0x7f79a35c6e00 in JSC::JSValue WebCore::JSConverter<WebCore::IDLInterface<WebCore::HTMLCollection> >::convert<WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraits<WebCore::HTMLCollection> > >(JSC::JSGlobalObject&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraits<WebCore::HTMLCollection> > const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMConvertInterface.h:81:16 #107 0x7f79a35c6e00 in JSC::JSValue WebCore::JSConverterOverloader<WebCore::IDLInterface<WebCore::HTMLCollection>, true, true>::convert<WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraits<WebCore::HTMLCollection> > >(JSC::JSGlobalObject&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraits<WebCore::HTMLCollection> >&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMConvertBase.h:109:16 #108 0x7f79a35c6e00 in JSC::JSValue WebCore::toJS<WebCore::IDLInterface<WebCore::HTMLCollection>, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraits<WebCore::HTMLCollection> > >(JSC::JSGlobalObject&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraits<WebCore::HTMLCollection> >&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMConvertBase.h:151:12 #109 0x7f79a35c6e00 in JSC::JSValue WebCore::toJS<WebCore::IDLInterface<WebCore::HTMLCollection>, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraits<WebCore::HTMLCollection> > >(JSC::JSGlobalObject&, WebCore::JSDOMGlobalObject&, JSC::ThrowScope&, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraits<WebCore::HTMLCollection> >&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMConvertBase.h:215:20 #110 0x7f79a35c6e00 in WebCore::jsDocumentPrototypeFunction_getElementsByTagNameBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5294:5 #111 0x7f79a35c6e00 in long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_getElementsByTagNameBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMOperation.h:63:9 #112 0x7f79a35c6e00 in WebCore::jsDocumentPrototypeFunction_getElementsByTagName(JSC::JSGlobalObject*, JSC::CallFrame*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5299:12 #113 0x7f7952feb1d7 (<unknown module>) Address 0x61b0000d4ab8 is a wild pointer. SUMMARY: AddressSanitizer: heap-buffer-overflow /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:702:21 in WebCore::TextureMapperLayer::setContentsLayer(WebCore::TextureMapperPlatformLayer*) Shadow bytes around the buggy address: 0x0c3680012900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3680012910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3680012920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3680012930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3680012940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c3680012950: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa 0x0c3680012960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3680012970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3680012980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3680012990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c36800129a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==16712==ABORTING

Attachments
This file is generated by a browser fuzzer (956.01 KB, text/html) 2022-02-25 00:19 PST, Chijin	no flags	Details
Patch (4.89 KB, patch) 2022-03-22 04:06 PDT, Miguel Gomez	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2022-02-25 00:19:57 PST

<rdar://problem/89462099>

Carlos Garcia Campos

Comment 2 2022-02-25 00:46:57 PST

I think the problem is that TextureMapperPlatformLayerProxyGL is destroyed, but invalidate hasn't been called and m_targetLayer is still a non-null pointer to a released layer.

Chijin

Comment 3 2022-03-16 00:33:10 PDT

(In reply to Carlos Garcia Campos from comment #2) > I think the problem is that TextureMapperPlatformLayerProxyGL is destroyed, > but invalidate hasn't been called and m_targetLayer is still a non-null > pointer to a released layer. The Apple security says that this bug does not affect their platforms. Should someone looks after it?

Miguel Gomez

Comment 4 2022-03-16 04:23:36 PDT

(In reply to Carlos Garcia Campos from comment #2) > I think the problem is that TextureMapperPlatformLayerProxyGL is destroyed, > but invalidate hasn't been called and m_targetLayer is still a non-null > pointer to a released layer. Yes, that seems to be the problem. But in a normal scenario the destruction of the TextureMapperLayer pointed by m_targetLayer happens after invalidate has been called on the proxy. It should not be possible that the TextureMapperLayer is released but invalidate hasn't been called. There must be some tricky race condition here. Chijin, do you know if it's possible to reproduce the issue just by letting the attached example run? or do I need to do anything else, like closing the view or something?

Chijin

Comment 5 2022-03-16 04:36:44 PDT

(In reply to Miguel Gomez from comment #4) > (In reply to Carlos Garcia Campos from comment #2) > > I think the problem is that TextureMapperPlatformLayerProxyGL is destroyed, > > but invalidate hasn't been called and m_targetLayer is still a non-null > > pointer to a released layer. > > Yes, that seems to be the problem. But in a normal scenario the destruction > of the TextureMapperLayer pointed by m_targetLayer happens after invalidate > has been called on the proxy. It should not be possible that the > TextureMapperLayer is released but invalidate hasn't been called. There must > be some tricky race condition here. > > Chijin, do you know if it's possible to reproduce the issue just by letting > the attached example run? or do I need to do anything else, like closing the > view or something? Just run this html file and wait for 3~4 second and the it will trigger this crash. ./libexec/webkit2gtk-4.0/MiniBrowser /path/to/bufferoverflow_setContentsLayer.html

Miguel Gomez

Comment 6 2022-03-21 03:52:59 PDT

What seems to be happening here is an scenario that I didn't know was possible. The test creates and destroys several WebGLRenderingContext instances. Each instance is attached to a CoordinatedGraphicsLayer as their PlatformLayer, and propagated to the compositor thread, where the proxy for the PlatformLayer is activated and used by the corresponding TextureMapperLayer. This works fine. In theory, when the WebGLRenderingContext is destroyed, the attached CoordinatedGraphicsLayer is destroyed as well, which causes the compositor (inside the CoordinatedGraphicsScene) to call invalidate on the PlatformLayer proxy when deleting the layer. But what the test is doing is somehow detaching the PlatformLayer from the CoordinatedGraphicsLayer, but keeping the GraphicsLayer alive. On the compositor side, this causes that the proxy is not invalidated cause the layer doesn't have to be deleted. But when adopting the new scene state, we override the previous PlatformLayer (which becomes null), losing the reference to the previous proxy and the opportunity to call invalidate on it. After this scenario, if the TextureMaperLayer that was associated to the proxy is deleted before the proxy, when the proxy gets destroyed we get the use after free issue. I've checked that this is reproducible on ToT as well.

Miguel Gomez

Comment 7 2022-03-22 04:06:04 PDT

Created attachment 455361 [details] Patch

Chijin

Comment 8 2022-03-22 04:30:09 PDT

(In reply to Miguel Gomez from comment #6) > What seems to be happening here is an scenario that I didn't know was > possible. > > The test creates and destroys several WebGLRenderingContext instances. Each > instance is attached to a CoordinatedGraphicsLayer as their PlatformLayer, > and propagated to the compositor thread, where the proxy for the > PlatformLayer is activated and used by the corresponding TextureMapperLayer. > This works fine. > > In theory, when the WebGLRenderingContext is destroyed, the attached > CoordinatedGraphicsLayer is destroyed as well, which causes the compositor > (inside the CoordinatedGraphicsScene) to call invalidate on the > PlatformLayer proxy when deleting the layer. > > But what the test is doing is somehow detaching the PlatformLayer from the > CoordinatedGraphicsLayer, but keeping the GraphicsLayer alive. On the > compositor side, this causes that the proxy is not invalidated cause the > layer doesn't have to be deleted. But when adopting the new scene state, we > override the previous PlatformLayer (which becomes null), losing the > reference to the previous proxy and the opportunity to call invalidate on > it. After this scenario, if the TextureMaperLayer that was associated to the > proxy is deleted before the proxy, when the proxy gets destroyed we get the > use after free issue. > > I've checked that this is reproducible on ToT as well. Hi, did you mean that this issue affect Safari as well?

Miguel Gomez

Comment 9 2022-03-22 04:33:49 PDT

> Hi, did you mean that this issue affect Safari as well? Nope. It affects the master branch, but only the WPE and GTK ports, as it happens in code that's specific to them.

Carlos Garcia Campos

Comment 10 2022-03-22 04:57:32 PDT

Comment on attachment 455361 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=455361&action=review > Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:233 > + HashSet<Ref<WebCore::TextureMapperPlatformLayerProxy>> replacedProxiesToInvalidate; Why don't you store this in the layersByBacking struct? it's already captured by all the lambdas.

Miguel Gomez

Comment 11 2022-03-22 05:38:45 PDT

(In reply to Carlos Garcia Campos from comment #10) > Comment on attachment 455361 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=455361&action=review > > > Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:233 > > + HashSet<Ref<WebCore::TextureMapperPlatformLayerProxy>> replacedProxiesToInvalidate; > > Why don't you store this in the layersByBacking struct? it's already > captured by all the lambdas. I thought about it. But even when it would make the code simpler, the new var wouldn't make sense semantically inside the layersByBacking struct, as they are used for different things. Maybe it's because of the name "layersByBacking", which suggests a purpose that's not related to the new var. I don't know, it's just a completely subjective and philosophical decision with no strong arguments. I can move the new var in the struct if you think it's better ;)

Carlos Garcia Campos

Comment 12 2022-03-22 06:36:23 PDT

(In reply to Miguel Gomez from comment #11) > (In reply to Carlos Garcia Campos from comment #10) > > Comment on attachment 455361 [details] > > Patch > > > > View in context: > > https://bugs.webkit.org/attachment.cgi?id=455361&action=review > > > > > Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:233 > > > + HashSet<Ref<WebCore::TextureMapperPlatformLayerProxy>> replacedProxiesToInvalidate; > > > > Why don't you store this in the layersByBacking struct? it's already > > captured by all the lambdas. > > I thought about it. But even when it would make the code simpler, the new > var wouldn't make sense semantically inside the layersByBacking struct, as > they are used for different things. Maybe it's because of the name > "layersByBacking", which suggests a purpose that's not related to the new > var. I don't know, it's just a completely subjective and philosophical > decision with no strong arguments. I can move the new var in the struct if > you think it's better ;) No strong opinion either.

EWS

Comment 13 2022-03-22 08:38:36 PDT

Committed r291621 (248714@main): <https://commits.webkit.org/248714@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 455361 [details].

Miguel Gomez

Comment 14 2022-03-23 03:16:16 PDT

*** Bug 237188 has been marked as a duplicate of this bug. ***

Michael Catanzaro

Comment 15 2022-05-06 07:45:52 PDT

This received both CVE-2022-30293 and also CVE-2022-30294. I'll try to get -94 marked as a duplicate.

Carlos Alberto Lopez Perez

Comment 16 2022-05-06 09:16:50 PDT

(In reply to Michael Catanzaro from comment #15) > This received both CVE-2022-30293 and also CVE-2022-30294. I'll try to get > -94 marked as a duplicate. This will be included in an upcoming security advisory. @Chijin Who should I credit on the advisory as the one discovering the issue on this CVEs?

Chijin

Comment 17 2022-05-06 09:57:23 PDT

(In reply to Carlos Alberto Lopez Perez from comment #16) > (In reply to Michael Catanzaro from comment #15) > > This received both CVE-2022-30293 and also CVE-2022-30294. I'll try to get > > -94 marked as a duplicate. > > This will be included in an upcoming security advisory. > > @Chijin Who should I credit on the advisory as the one discovering the issue > on > this CVEs? "Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab" would be fine. Thank you for your update.!

Carlos Alberto Lopez Perez

Comment 18 2022-05-30 07:08:10 PDT

(In reply to Chijin from comment #17) > (In reply to Carlos Alberto Lopez Perez from comment #16) > > (In reply to Michael Catanzaro from comment #15) > > > This received both CVE-2022-30293 and also CVE-2022-30294. I'll try to get > > > -94 marked as a duplicate. > > > > This will be included in an upcoming security advisory. > > > > @Chijin Who should I credit on the advisory as the one discovering the issue > > on > > this CVEs? > > "Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab" would be fine. > Thank you for your update.! Credited in the following security advisories: WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2022-0005.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2022-0005.html

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Critical

Classification Unclassified

Version WebKit Local Build

Hardware PC

OS Linux

Product Security

Component Security

Assignee

WebKit Security Group

Reported

2022-02-25 00:19 PST

Modified

2022-05-30 07:08 PDT History

CC List

8 users Show

URL

Keywords InRadar

Duplicates (1)

237188 View as bug list

Depends on

Blocks