diff --git a/bug281492.patch b/bug281492.patch new file mode 100644 index 0000000..bdfc0c5 --- /dev/null +++ b/bug281492.patch @@ -0,0 +1,94 @@ +From 984e2a6b7a92b8c144f2b4463f5904e449cb3cc1 Mon Sep 17 00:00:00 2001 +From: Georges Basile Stavracas Neto +Date: Tue, 15 Oct 2024 11:44:23 -0300 +Subject: [PATCH] AX: [GTK]: Fix crash in + AccessibilityObjectAtspi::textAttributes + https://bugs.webkit.org/show_bug.cgi?id=281492 + +Reviewed by NOBODY (OOPS!). + +In the AccessibilityObjectAtspi::textAttributes() method, the +accessibilityTextAttributes() function is called for various AXObjects. +These objects are retrived by querying the AXObjectCache of the +document. + +However, the cache can legitimately return nullptr when the AXObject is +not cached. The AccessibilityObjectAtspi::textAttributes() method did +not check for nullptr, and the accessibilityTextAttributes() function +is not nullptr safe. + +This crashes. + +Make AccessibilityObjectAtspi::textAttributes() check if the AXObject +is a nullptr before passing it down to accessibilityTextAttributes(). + +* Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp: +(WebCore::AccessibilityObjectAtspi::textAttributes const): +--- + .../atspi/AccessibilityObjectTextAtspi.cpp | 21 ++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp b/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp +index 50b4f58be2f3..a49bfd939716 100644 +--- a/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp ++++ b/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp +@@ -38,6 +38,7 @@ + #include "TextIterator.h" + #include "VisibleUnits.h" + #include ++#include + #include + + namespace WebCore { +@@ -763,6 +764,9 @@ AccessibilityObjectAtspi::TextAttributes AccessibilityObjectAtspi::textAttribute + + auto accessibilityTextAttributes = [this](AXCoreObject* axObject, const HashMap& defaultAttributes) -> HashMap { + HashMap attributes; ++ ++ RELEASE_ASSERT(axObject); ++ + auto& style = axObject->renderer()->style(); + + auto addAttributeIfNeeded = [&](const String& name, const String& value) { +@@ -838,8 +842,11 @@ AccessibilityObjectAtspi::TextAttributes AccessibilityObjectAtspi::textAttribute + return { WTFMove(defaultAttributes), -1, -1 }; + + if (!*utf16Offset && m_hasListMarkerAtStart) { ++ auto axObject = m_coreObject->children()[0].get(); ++ RELEASE_ASSERT(axObject); ++ + // Always consider list marker an independent run. +- auto attributes = accessibilityTextAttributes(m_coreObject->children()[0].get(), defaultAttributes); ++ auto attributes = accessibilityTextAttributes(axObject, defaultAttributes); + if (!includeDefault) + return { WTFMove(attributes), 0, 1 }; + +@@ -871,7 +878,11 @@ AccessibilityObjectAtspi::TextAttributes AccessibilityObjectAtspi::textAttribute + if (r->firstChildSlow()) + continue; + +- auto childAttributes = accessibilityTextAttributes(r->document().axObjectCache()->get(r), defaultAttributes); ++ auto axObject = r->document().axObjectCache()->get(r); ++ if (!axObject) ++ continue; ++ ++ auto childAttributes = accessibilityTextAttributes(axObject, defaultAttributes); + if (childAttributes != attributes) + break; + +@@ -885,7 +896,11 @@ AccessibilityObjectAtspi::TextAttributes AccessibilityObjectAtspi::textAttribute + if (r->firstChildSlow()) + continue; + +- auto childAttributes = accessibilityTextAttributes(r->document().axObjectCache()->get(r), defaultAttributes); ++ auto axObject = r->document().axObjectCache()->get(r); ++ if (!axObject) ++ continue; ++ ++ auto childAttributes = accessibilityTextAttributes(axObject, defaultAttributes); + if (childAttributes != attributes) + break; + +-- +2.46.1 + diff --git a/bug281495.patch b/bug281495.patch new file mode 100644 index 0000000..272fe94 --- /dev/null +++ b/bug281495.patch @@ -0,0 +1,84 @@ +From 8fd152326050b81559903682e0767d289adef9cb Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Wed, 16 Oct 2024 13:45:39 -0500 +Subject: [PATCH] REGRESSION(283414@main): [WPE][GTK] Crash in ProcessLauncher + socket monitor callback https://bugs.webkit.org/show_bug.cgi?id=281495 + +Reviewed by NOBODY (OOPS!). + +The socket monitor callback that I added in 283414@main accidentally +deletes itself by calling m_socketMonitor.stop(). This causes the lambda +capture to itself be deleted. We can change the socket monitor to wait +until the callback has finished before deleting it. + +* Source/WTF/wtf/glib/GSocketMonitor.cpp: +(WTF::GSocketMonitor::~GSocketMonitor): +(WTF::GSocketMonitor::socketSourceCallback): +(WTF::GSocketMonitor::stop): +--- + Source/WTF/wtf/glib/GSocketMonitor.cpp | 21 +++++++++++++++++++-- + Source/WTF/wtf/glib/GSocketMonitor.h | 2 ++ + 2 files changed, 21 insertions(+), 2 deletions(-) + +diff --git a/Source/WTF/wtf/glib/GSocketMonitor.cpp b/Source/WTF/wtf/glib/GSocketMonitor.cpp +index c88ea9f91ca4..f3e31efb5053 100644 +--- a/Source/WTF/wtf/glib/GSocketMonitor.cpp ++++ b/Source/WTF/wtf/glib/GSocketMonitor.cpp +@@ -33,6 +33,7 @@ namespace WTF { + + GSocketMonitor::~GSocketMonitor() + { ++ RELEASE_ASSERT(!m_isExecutingCallback); + stop(); + } + +@@ -40,7 +41,17 @@ gboolean GSocketMonitor::socketSourceCallback(GSocket*, GIOCondition condition, + { + if (g_cancellable_is_cancelled(monitor->m_cancellable.get())) + return G_SOURCE_REMOVE; +- return monitor->m_callback(condition); ++ ++ monitor->m_isExecutingCallback = true; ++ gboolean result = monitor->m_callback(condition); ++ monitor->m_isExecutingCallback = false; ++ ++ if (monitor->m_shouldDestroyCallback) { ++ monitor->m_callback = nullptr; ++ monitor->m_shouldDestroyCallback = false; ++ } ++ ++ return result; + } + + void GSocketMonitor::start(GSocket* socket, GIOCondition condition, RunLoop& runLoop, Function&& callback) +@@ -65,7 +76,13 @@ void GSocketMonitor::stop() + m_cancellable = nullptr; + g_source_destroy(m_source.get()); + m_source = nullptr; +- m_callback = nullptr; ++ ++ // It's normal to stop the socket monitor from inside its callback. ++ // Don't destroy the callback while it's still executing. ++ if (m_isExecutingCallback) ++ m_shouldDestroyCallback = true; ++ else ++ m_callback = nullptr; + } + + } // namespace WTF +diff --git a/Source/WTF/wtf/glib/GSocketMonitor.h b/Source/WTF/wtf/glib/GSocketMonitor.h +index 7ec383a6e37c..9393c546b593 100644 +--- a/Source/WTF/wtf/glib/GSocketMonitor.h ++++ b/Source/WTF/wtf/glib/GSocketMonitor.h +@@ -51,6 +51,8 @@ private: + GRefPtr m_source; + GRefPtr m_cancellable; + Function m_callback; ++ bool m_isExecutingCallback { false }; ++ bool m_shouldDestroyCallback { false }; + }; + + } // namespace WTF +-- +2.46.1 + diff --git a/webkit2gtk3.changes b/webkit2gtk3.changes index ba79470..e3ba468 100644 --- a/webkit2gtk3.changes +++ b/webkit2gtk3.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Oct 16 21:49:23 UTC 2024 - Michael Gorse + +- Add bug281492.patch: fix crash in + AccessibilityAtspi::textAttributes. +- Add bug281495.patch: fix crash in ProcessLauncher socket + monitor callback. + ------------------------------------------------------------------- Fri Oct 4 11:19:52 UTC 2024 - Dominique Leuenberger diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec index ab2b4b6..af3e26f 100644 --- a/webkit2gtk3.spec +++ b/webkit2gtk3.spec @@ -92,6 +92,10 @@ Source99: webkit2gtk3.keyring # PATCH-FEATURE-OPENSUSE reproducibility.patch -- Make build reproducible Patch0: reproducibility.patch +# PATCH-FIX-UPSTREAM bug281492.patch mgorse@suse.com -- fix crash in AccessibilityObjectAtspi::textAttributes. +Patch1: bug281492.patch +# PATCH-FIX-UPSTREAM bug281495.patch mgorse@suse.com -- Fix crash in ProcessLauncher socket monitor callback. +Patch2: bug281495.patch BuildRequires: Mesa-libEGL-devel BuildRequires: Mesa-libGL-devel