Null dereference in PDFPlugin::snapshot()

https://bugs.webkit.org/show_bug.cgi?id=217668 Patch by Julian Gonzalez <julian_a_gonzalez@apple.com> on 2020-10-13 Reviewed by Ryosuke Niwa. Source/WebKit: Add a null pointer check in PDFPlugin's snapshot method to prevent a crash if the backing store's size isn't sufficient for the ShareableBitmap. Test: plugins/pdf-plugin-null-onloaddeddata.html * WebProcess/Plugins/PDF/PDFPlugin.mm: (WebKit::PDFPlugin::snapshot): LayoutTests: Add new pass-if-no-crash test to catch crash in PDFPlugin snapshotting. * plugins/pdf-plugin-null-onloaddeddata-expected.txt: Added. * plugins/pdf-plugin-null-onloaddeddata.html: Added. Canonical link: https://commits.webkit.org/230427@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@268432 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Oct 13, 2020 · 51a7ebc · 51a7ebc
1 parent d078e28
commit 51a7ebc
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 0 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2020-10-13  Julian Gonzalez  <julian_a_gonzalez@apple.com>
+
+        Null dereference in PDFPlugin::snapshot()
+        https://bugs.webkit.org/show_bug.cgi?id=217668
+
+        Reviewed by Ryosuke Niwa.
+
+        Add new pass-if-no-crash test to catch crash in PDFPlugin
+        snapshotting.
+
+        * plugins/pdf-plugin-null-onloaddeddata-expected.txt: Added.
+        * plugins/pdf-plugin-null-onloaddeddata.html: Added.
+
 2020-10-13  Chris Dumez  <cdumez@apple.com>
 
         WebAudio tests are crashing in debug when enabling the GPU process

diff --git a/LayoutTests/plugins/pdf-plugin-null-onloaddeddata-expected.txt b/LayoutTests/plugins/pdf-plugin-null-onloaddeddata-expected.txt
@@ -0,0 +1,4 @@
+This tests determining the PDF plugin does not crash upon a null onloadeddata variable.
+
+PASS
+
diff --git a/LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html b/LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<head>
+<style>
+embed, body { zoom: 61; }
+</style>
+</head>
+<body onload=pdfonload()>
+<p>This tests determining the PDF plugin does not crash upon a null onloadeddata variable.</p>
+<div id="result">FAIL</div>
+<embed id="testPlugin" type="application/pdf"></embed>
+<script>
+function pdfonload() {
+    testPlugin.onloadeddata = null;
+
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    result.textContent = 'PASS';
+}
+</script>
+</body>
+</html>
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
@@ -1,3 +1,19 @@
+2020-10-13  Julian Gonzalez  <julian_a_gonzalez@apple.com>
+
+        Null dereference in PDFPlugin::snapshot()
+        https://bugs.webkit.org/show_bug.cgi?id=217668
+
+        Reviewed by Ryosuke Niwa.
+
+        Add a null pointer check in PDFPlugin's snapshot method
+        to prevent a crash if the backing store's size
+        isn't sufficient for the ShareableBitmap.
+
+        Test: plugins/pdf-plugin-null-onloaddeddata.html
+
+        * WebProcess/Plugins/PDF/PDFPlugin.mm:
+        (WebKit::PDFPlugin::snapshot):
+
 2020-10-12  Ryosuke Niwa  <rniwa@webkit.org>
 
         IPC testing JS API should expose a reply and describe the list of arguments for each message

diff --git a/Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm b/Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm
@@ -1948,6 +1948,8 @@ static void jsPDFDocFinalize(JSObjectRef object)
     backingStoreSize.scale(contentsScaleFactor);
 
     auto bitmap = ShareableBitmap::createShareable(backingStoreSize, { });
+    if (!bitmap)
+        return nullptr;
     auto context = bitmap->createGraphicsContext();
     if (!context)
         return nullptr;