From 4ab46243ea64a128a49b82e282a76679066152da Mon Sep 17 00:00:00 2001 From: x93008 Date: Wed, 20 May 2026 20:34:12 +0800 Subject: [PATCH 1/2] fix(macOS 11): prevent UAF crash in WKURLSchemeHandler stop_task macOS 11 WebKit bug: during WKWebView dealloc, stopAllTasksForPage calls stop_task with already-freed task pointers. Any access (including the implicit objc_release from objc2 reference types) causes SIGSEGV. Fix: - stop_task: use raw pointers (*mut AnyObject) instead of objc2 references to skip automatic retain/release. Body is no-op since task is invalid. - start_task response handler: explicit drop(webview) before drop(task) to ensure correct deallocation order. --- src/wkwebview/class/url_scheme_handler.rs | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/src/wkwebview/class/url_scheme_handler.rs b/src/wkwebview/class/url_scheme_handler.rs index c280b84c1..58f48b3a6 100644 --- a/src/wkwebview/class/url_scheme_handler.rs +++ b/src/wkwebview/class/url_scheme_handler.rs @@ -286,12 +286,18 @@ extern "C" fn start_task( })) .map_err(|_e| crate::Error::CustomProtocolTaskInvalid)?; - if WEBVIEW_STATE.read().unwrap().contains_key(webview_id) { + let result = if WEBVIEW_STATE.read().unwrap().contains_key(webview_id) { webview.remove_custom_task_key(task_key); Ok(()) } else { Err(crate::Error::CustomProtocolTaskInvalid) - } + }; + + // webview must drop before task: if webview drop triggers dealloc → + // stopAllTasksForPage → platformStopTask, the task must still be alive. + drop(webview); + drop(task); + result } #[cfg(feature = "tracing")] @@ -334,8 +340,8 @@ extern "C" fn start_task( extern "C" fn stop_task( _this: &ProtocolObject, _sel: objc2::runtime::Sel, - webview: &WryWebView, - task: &ProtocolObject, + _webview: *mut AnyObject, + _task: *mut AnyObject, ) { - webview.remove_custom_task_key(task.hash()); + // no-op: avoid accessing task/webview — macOS 11 may pass freed pointers here } From 9be1a6bfc3894fcd420db0f2dfff4eb1181888ae Mon Sep 17 00:00:00 2001 From: x93008 Date: Thu, 21 May 2026 10:17:33 +0800 Subject: [PATCH 2/2] chore: add change file for macOS 11 stop_task UAF fix --- .changes/fix-macos11-stop-task-uaf.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changes/fix-macos11-stop-task-uaf.md diff --git a/.changes/fix-macos11-stop-task-uaf.md b/.changes/fix-macos11-stop-task-uaf.md new file mode 100644 index 000000000..fb3f457c0 --- /dev/null +++ b/.changes/fix-macos11-stop-task-uaf.md @@ -0,0 +1,5 @@ +--- +"wry": patch +--- + +On macOS 11, fix use-after-free crash in custom protocol `stop_task` during WKWebView dealloc by using raw pointers instead of objc2 references and enforcing correct drop ordering in the async response handler.