[GTK][WPE] UI process crash in WebBackForwardList::restoreFromState
authorcarlosgc@webkit.org <carlosgc@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 8 Sep 2017 06:31:22 +0000 (06:31 +0000)
committercarlosgc@webkit.org <carlosgc@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 8 Sep 2017 06:31:22 +0000 (06:31 +0000)
https://bugs.webkit.org/show_bug.cgi?id=176303

Reviewed by Michael Catanzaro.

Ensure the current index provided by the session state is not out of actual item list bounds. This is a bug in
the session state decoder, but WebBackForwardList::backForwardListState() is already doing the check and using
the last item index instead, so it's not easy to know where the actual problem is. In any case we should
still protect the decoder.

* UIProcess/API/glib/WebKitWebViewSessionState.cpp:
(decodeSessionState):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221779 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/UIProcess/API/glib/WebKitWebViewSessionState.cpp

index fb28b5d..8873031 100644 (file)
@@ -1,3 +1,18 @@
+2017-09-07  Carlos Garcia Campos  <cgarcia@igalia.com>
+
+        [GTK][WPE] UI process crash in WebBackForwardList::restoreFromState
+        https://bugs.webkit.org/show_bug.cgi?id=176303
+
+        Reviewed by Michael Catanzaro.
+
+        Ensure the current index provided by the session state is not out of actual item list bounds. This is a bug in
+        the session state decoder, but WebBackForwardList::backForwardListState() is already doing the check and using
+        the last item index instead, so it's not easy to know where the actual problem is. In any case we should
+        still protect the decoder.
+
+        * UIProcess/API/glib/WebKitWebViewSessionState.cpp:
+        (decodeSessionState):
+
 2017-09-07  Andy Estes  <aestes@apple.com>
 
         [Mac] Upstream QTKit-related WebKitSystemInterface functions
index 4bea267..9cb5d93 100644 (file)
@@ -369,7 +369,7 @@ static bool decodeSessionState(GBytes* data, SessionState& sessionState)
     decodeBackForwardListItemState(backForwardListStateIter.get(), sessionState.backForwardListState);
 
     if (hasCurrentIndex)
-        sessionState.backForwardListState.currentIndex = currentIndex;
+        sessionState.backForwardListState.currentIndex = std::min<uint32_t>(currentIndex, sessionState.backForwardListState.items.size() - 1);
     return true;
 }