pool/webkit2gtk3
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Add bug281492.patch: fix crash in

Browse Source 
AccessibilityAtspi::textAttributes.
- Add bug281495.patch: fix crash in ProcessLauncher socket
  monitor callback.

OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/webkit2gtk3?expand=0&rev=486
This commit is contained in:
Dominique Leuenberger 2024-10-17 06:30:25 +00:00 committed by Git OBS Bridge
parent c21365e6c3
commit fc35ad6c36
4 changed files with 190 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
bug281492.patch Normal file
View File

@ -0,0 +1,94 @@
From 984e2a6b7a92b8c144f2b4463f5904e449cb3cc1 Mon Sep 17 00:00:00 2001
From: Georges Basile Stavracas Neto <feaneron@igalia.com>
Date: Tue, 15 Oct 2024 11:44:23 -0300
Subject: [PATCH] AX: [GTK]: Fix crash in
AccessibilityObjectAtspi::textAttributes
https://bugs.webkit.org/show_bug.cgi?id=281492
Reviewed by NOBODY (OOPS!).
In the AccessibilityObjectAtspi::textAttributes() method, the
accessibilityTextAttributes() function is called for various AXObjects.
These objects are retrived by querying the AXObjectCache of the
document.
However, the cache can legitimately return nullptr when the AXObject is
not cached. The AccessibilityObjectAtspi::textAttributes() method did
not check for nullptr, and the accessibilityTextAttributes() function
is not nullptr safe.
This crashes.
Make AccessibilityObjectAtspi::textAttributes() check if the AXObject
is a nullptr before passing it down to accessibilityTextAttributes().
* Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp:
(WebCore::AccessibilityObjectAtspi::textAttributes const):
---
.../atspi/AccessibilityObjectTextAtspi.cpp | 21 ++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp b/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp
index 50b4f58be2f3..a49bfd939716 100644
--- a/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp
+++ b/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp
@@ -38,6 +38,7 @@
#include "TextIterator.h"
#include "VisibleUnits.h"
#include <gio/gio.h>
+#include <wtf/Assertions.h>
#include <wtf/unicode/CharacterNames.h>
namespace WebCore {
@@ -763,6 +764,9 @@ AccessibilityObjectAtspi::TextAttributes AccessibilityObjectAtspi::textAttribute
auto accessibilityTextAttributes = [this](AXCoreObject* axObject, const HashMap<String, String>& defaultAttributes) -> HashMap<String, String> {
HashMap<String, String> attributes;
+
+ RELEASE_ASSERT(axObject);
+
auto& style = axObject->renderer()->style();
auto addAttributeIfNeeded = [&](const String& name, const String& value) {
@@ -838,8 +842,11 @@ AccessibilityObjectAtspi::TextAttributes AccessibilityObjectAtspi::textAttribute
return { WTFMove(defaultAttributes), -1, -1 };
if (!*utf16Offset && m_hasListMarkerAtStart) {
+ auto axObject = m_coreObject->children()[0].get();
+ RELEASE_ASSERT(axObject);
+
// Always consider list marker an independent run.
- auto attributes = accessibilityTextAttributes(m_coreObject->children()[0].get(), defaultAttributes);
+ auto attributes = accessibilityTextAttributes(axObject, defaultAttributes);
if (!includeDefault)
return { WTFMove(attributes), 0, 1 };
@@ -871,7 +878,11 @@ AccessibilityObjectAtspi::TextAttributes AccessibilityObjectAtspi::textAttribute
if (r->firstChildSlow())
continue;
- auto childAttributes = accessibilityTextAttributes(r->document().axObjectCache()->get(r), defaultAttributes);
+ auto axObject = r->document().axObjectCache()->get(r);
+ if (!axObject)
+ continue;
+
+ auto childAttributes = accessibilityTextAttributes(axObject, defaultAttributes);
if (childAttributes != attributes)
break;
@@ -885,7 +896,11 @@ AccessibilityObjectAtspi::TextAttributes AccessibilityObjectAtspi::textAttribute
if (r->firstChildSlow())
continue;
- auto childAttributes = accessibilityTextAttributes(r->document().axObjectCache()->get(r), defaultAttributes);
+ auto axObject = r->document().axObjectCache()->get(r);
+ if (!axObject)
+ continue;
+
+ auto childAttributes = accessibilityTextAttributes(axObject, defaultAttributes);
if (childAttributes != attributes)
break;
--
2.46.1

84
bug281495.patch Normal file
View File

@ -0,0 +1,84 @@
From 8fd152326050b81559903682e0767d289adef9cb Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Wed, 16 Oct 2024 13:45:39 -0500
Subject: [PATCH] REGRESSION(283414@main): [WPE][GTK] Crash in ProcessLauncher
socket monitor callback https://bugs.webkit.org/show_bug.cgi?id=281495
Reviewed by NOBODY (OOPS!).
The socket monitor callback that I added in 283414@main accidentally
deletes itself by calling m_socketMonitor.stop(). This causes the lambda
capture to itself be deleted. We can change the socket monitor to wait
until the callback has finished before deleting it.
* Source/WTF/wtf/glib/GSocketMonitor.cpp:
(WTF::GSocketMonitor::~GSocketMonitor):
(WTF::GSocketMonitor::socketSourceCallback):
(WTF::GSocketMonitor::stop):
---
Source/WTF/wtf/glib/GSocketMonitor.cpp | 21 +++++++++++++++++++--
Source/WTF/wtf/glib/GSocketMonitor.h | 2 ++
2 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/Source/WTF/wtf/glib/GSocketMonitor.cpp b/Source/WTF/wtf/glib/GSocketMonitor.cpp
index c88ea9f91ca4..f3e31efb5053 100644
--- a/Source/WTF/wtf/glib/GSocketMonitor.cpp
+++ b/Source/WTF/wtf/glib/GSocketMonitor.cpp
@@ -33,6 +33,7 @@ namespace WTF {
GSocketMonitor::~GSocketMonitor()
{
+ RELEASE_ASSERT(!m_isExecutingCallback);
stop();
}
@@ -40,7 +41,17 @@ gboolean GSocketMonitor::socketSourceCallback(GSocket*, GIOCondition condition,
{
if (g_cancellable_is_cancelled(monitor->m_cancellable.get()))
return G_SOURCE_REMOVE;
- return monitor->m_callback(condition);
+
+ monitor->m_isExecutingCallback = true;
+ gboolean result = monitor->m_callback(condition);
+ monitor->m_isExecutingCallback = false;
+
+ if (monitor->m_shouldDestroyCallback) {
+ monitor->m_callback = nullptr;
+ monitor->m_shouldDestroyCallback = false;
+ }
+
+ return result;
}
void GSocketMonitor::start(GSocket* socket, GIOCondition condition, RunLoop& runLoop, Function<gboolean(GIOCondition)>&& callback)
@@ -65,7 +76,13 @@ void GSocketMonitor::stop()
m_cancellable = nullptr;
g_source_destroy(m_source.get());
m_source = nullptr;
- m_callback = nullptr;
+
+ // It's normal to stop the socket monitor from inside its callback.
+ // Don't destroy the callback while it's still executing.
+ if (m_isExecutingCallback)
+ m_shouldDestroyCallback = true;
+ else
+ m_callback = nullptr;
}
} // namespace WTF
diff --git a/Source/WTF/wtf/glib/GSocketMonitor.h b/Source/WTF/wtf/glib/GSocketMonitor.h
index 7ec383a6e37c..9393c546b593 100644
--- a/Source/WTF/wtf/glib/GSocketMonitor.h
+++ b/Source/WTF/wtf/glib/GSocketMonitor.h
@@ -51,6 +51,8 @@ private:
GRefPtr<GSource> m_source;
GRefPtr<GCancellable> m_cancellable;
Function<gboolean(GIOCondition)> m_callback;
+ bool m_isExecutingCallback { false };
+ bool m_shouldDestroyCallback { false };
};
} // namespace WTF
--
2.46.1

8
webkit2gtk3.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Wed Oct 16 21:49:23 UTC 2024 - Michael Gorse <mgorse@suse.com>
- Add bug281492.patch: fix crash in
AccessibilityAtspi::textAttributes.
- Add bug281495.patch: fix crash in ProcessLauncher socket
monitor callback.
-------------------------------------------------------------------
Fri Oct 4 11:19:52 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>

4
webkit2gtk3.spec
View File

@ -92,6 +92,10 @@ Source99: webkit2gtk3.keyring
# PATCH-FEATURE-OPENSUSE reproducibility.patch -- Make build reproducible
Patch0: reproducibility.patch
# PATCH-FIX-UPSTREAM bug281492.patch mgorse@suse.com -- fix crash in AccessibilityObjectAtspi::textAttributes.
Patch1: bug281492.patch
# PATCH-FIX-UPSTREAM bug281495.patch mgorse@suse.com -- Fix crash in ProcessLauncher socket monitor callback.
Patch2: bug281495.patch
BuildRequires: Mesa-libEGL-devel
BuildRequires: Mesa-libGL-devel