Validate key paths of animations in an animation group sent over IPC

https://bugs.webkit.org/show_bug.cgi?id=271476 rdar://125216664 Reviewed by Simon Fraser. Assert that the key path of animations created within an animation group is valid when receiving them from an IPC connection in the same spirit as 259066@main. Additionally, we add a `Validator` for the `PlatformCAAnimationRemoteProperties::animationType` member such that it calls `PlatformCAAnimation::isValidKeyPath()` during the decoding process and trigger a `MESSAGE_CHECK` if the key is not valid. It is important to do this for `animationType` and not `keyPath` since we need both members to have been decoded first. * Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCAAnimationRemote.mm: (WebKit::createAnimation): * Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCAAnimationRemoteProperties.serialization.in: Canonical link: https://commits.webkit.org/272448.858@safari-7618-branch
WebKit · Apr 3, 2024 · ce10225 · ce10225
1 parent 95d9cee
commit ce10225
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCAAnimationRemote.mm b/Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCAAnimationRemote.mm
@@ -515,8 +515,11 @@ - (void)animationDidStop:(CAAnimation *)animation finished:(BOOL)finished
         auto animationGroup = [CAAnimationGroup animation];
 
         if (properties.animations.size()) {
-            [animationGroup setAnimations:createNSArray(properties.animations, [&] (auto& animationProperties) {
-                return createAnimation(layer, layerTreeHost, animationProperties).get();
+            [animationGroup setAnimations:createNSArray(properties.animations, [&] (auto& animationProperties) -> CAAnimation * {
+                if (PlatformCAAnimation::isValidKeyPath(properties.keyPath, properties.animationType))
+                    return createAnimation(layer, layerTreeHost, animationProperties).get();
+                ASSERT_NOT_REACHED();
+                return nil;
             }).get()];
         }
 

diff --git a/...t/WebProcess/WebPage/RemoteLayerTree/PlatformCAAnimationRemoteProperties.serialization.in b/...t/WebProcess/WebPage/RemoteLayerTree/PlatformCAAnimationRemoteProperties.serialization.in
@@ -22,7 +22,7 @@
 
 struct WebKit::PlatformCAAnimationRemoteProperties {
     String keyPath;
-    WebCore::PlatformCAAnimation::AnimationType animationType;
+    [Validator='WebCore::PlatformCAAnimation::isValidKeyPath(*keyPath, *animationType)'] WebCore::PlatformCAAnimation::AnimationType animationType;
 
     CFTimeInterval beginTime;
     double duration;