[WebGPU] RenderBundleEncoder::setVertexBuffer may result in a UAF

https://bugs.webkit.org/show_bug.cgi?id=274525 <radar://128537945> Reviewed by Dan Glastonbury. Every other call site to recordCommand captures by Ref, this was the only outlier passing a raw C++ pointer to the lambda. * Source/WebGPU/WebGPU/RenderBundleEncoder.mm: (WebGPU::RenderBundleEncoder::setVertexBuffer): Canonical link: https://commits.webkit.org/279171@main
WebKit · May 23, 2024 · 140660a · 140660a
1 parent a0dd96a
commit 140660a
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/Source/WebGPU/WebGPU/RenderBundleEncoder.mm b/Source/WebGPU/WebGPU/RenderBundleEncoder.mm
@@ -1076,8 +1076,8 @@ - (instancetype)initWithICB:(id<MTLIndirectCommandBuffer>)icb pipelineState:(id<
         }
 
         m_requiresMetalWorkaround = false;
-        recordCommand([slot, optionalBuffer, offset, size, protectedThis = Ref { *this }] {
-            protectedThis->setVertexBuffer(slot, optionalBuffer, offset, size);
+        recordCommand([slot, optionalBuffer = RefPtr { optionalBuffer }, offset, size, protectedThis = Ref { *this }] {
+            protectedThis->setVertexBuffer(slot, optionalBuffer.get(), offset, size);
             return false;
         });
     }