Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 8df060354aae3827a95a06b196c8c8ce8a536cde
https://github.com/WebKit/WebKit/commit/8df060354aae3827a95a06b196c8c8ce8a536cde
Author: Sihui Liu <[email protected]>
Date: 2025-11-12 (Wed, 12 Nov 2025)
Changed paths:
A
LayoutTests/http/wpt/webaudio/the-audio-api/the-audioworklet-interface/options-range-error-expected.txt
A
LayoutTests/http/wpt/webaudio/the-audio-api/the-audioworklet-interface/options-range-error.html
M Source/WebCore/Modules/webaudio/AudioWorkletNode.cpp
Log Message:
-----------
Avoid careating AudioWorkletNode with out-of-range parameters
rdar://156322582
Reviewed by Ryosuke Niwa.
Existing implementation allows clients to create AudioWorkletNode with
numberOfInputs and numberOfOutputs up to
UINT32_MAX, and this could lead to web content process crash when
AudioWorkletNode tries to constuct Vectors with big
size. To avoid that, now we set the maximum allowed numbers to be UINT16_MAX
(to match Firefox's behavior), and throw
RangeError if parameter is out of range.
*
LayoutTests/http/wpt/webaudio/the-audio-api/the-audioworklet-interface/options-range-error-expected.txt:
Added.
*
LayoutTests/http/wpt/webaudio/the-audio-api/the-audioworklet-interface/options-range-error.html:
Added.
* Source/WebCore/Modules/webaudio/AudioWorkletNode.cpp:
(WebCore::AudioWorkletNode::create):
Originally-landed-as: 297297.215@safari-7622-branch (d4b50b1f7725).
rdar://164281024
Canonical link: https://commits.webkit.org/302957@main
Commit: 569f9f07502847a509d1592019b451ab0b15cfd8
https://github.com/WebKit/WebKit/commit/569f9f07502847a509d1592019b451ab0b15cfd8
Author: Said Abou-Hallawa <[email protected]>
Date: 2025-11-12 (Wed, 12 Nov 2025)
Changed paths:
A
LayoutTests/http/tests/security/offscreen-canvas-remote-read-remote-image-expected.txt
A
LayoutTests/http/tests/security/offscreen-canvas-remote-read-remote-image.html
M Source/WebCore/html/OffscreenCanvas.cpp
M Source/WebCore/html/canvas/PlaceholderRenderingContext.cpp
M Source/WebCore/html/canvas/PlaceholderRenderingContext.h
Log Message:
-----------
Offscreen canvas allows leaking cross-origin image
https://bugs.webkit.org/show_bug.cgi?id=297566
rdar://157055145
Reviewed by Kimmo Kinnunen.
If a cross-origin image is drawn to an ImageBitmap and it is transferred to an
OffscreenCanvas, the context of the output canvas should be tainted.
*
LayoutTests/http/tests/security/offscreen-canvas-remote-read-remote-image-expected.txt:
Added.
*
LayoutTests/http/tests/security/offscreen-canvas-remote-read-remote-image.html:
Added.
* Source/WebCore/html/OffscreenCanvas.cpp:
(WebCore::OffscreenCanvas::commitToPlaceholderCanvas):
* Source/WebCore/html/canvas/PlaceholderRenderingContext.cpp:
(WebCore::PlaceholderRenderingContextSource::setPlaceholderBuffer):
(WebCore::PlaceholderRenderingContext::setPlaceholderBuffer):
* Source/WebCore/html/canvas/PlaceholderRenderingContext.h:
Originally-landed-as: 297297.288@safari-7622-branch (bdeaba2e1881).
rdar://164280686
Canonical link: https://commits.webkit.org/302958@main
Commit: 8107fd50709174433bcaab8eab18333abb53d981
https://github.com/WebKit/WebKit/commit/8107fd50709174433bcaab8eab18333abb53d981
Author: Keith Miller <[email protected]>
Date: 2025-11-12 (Wed, 12 Nov 2025)
Changed paths:
A JSTests/stress/map-rehash-oom.js
A JSTests/stress/set-rehash-oom.js
M Source/JavaScriptCore/runtime/OrderedHashTableHelper.h
Log Message:
-----------
Clean up OrderedHashTable Resizing
https://bugs.webkit.org/show_bug.cgi?id=297708
rdar://158014775
Reviewed by Yusuke Suzuki.
When inserting into an OrderedHashTable, if the buffer is resized then
subsequently an
exception is thrown. The original buffer will be left in a inconsistent state.
This patch
takes two approaches to this problem:
1) Compute the hash key before resizing. This isn't observable semantically
since resizing
can only OOM and that is free to happen anywhere.
2) Only commit the new buffer once everything is set up. This way if we change
our design
in the future and throw somewhere in the middle we'll just roll back to the
previous state.
Lastly, convert some shifts into multiplications/divisions by the appropriate
power of two.
Clang will convert the muls/divs into the corresponding shifts so we should
focus on
readability.
Originally-landed-as: 297297.293@safari-7622-branch (5b49a0d04fbe).
rdar://164280528
Canonical link: https://commits.webkit.org/302959@main
Compare: https://github.com/WebKit/WebKit/compare/5ee4e32d779a...8107fd507091
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
