Bug 289536
| Summary: | GraphicsContextGLANGLE::readPixelsImpl crashes on checkedProduct<size_t> | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | roberto_rodriguez2 |
| Component: | ANGLE | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Major | CC: | bfulgham, darin, djg, kbr, kkinnunen, rniwa, webkit-bug-importer |
| Priority: | P1 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
roberto_rodriguez2
rdar://146461356
Description: A crash happens in GraphicsContextGLANGLE::readPixelsImpl() because checkedProduct<size_t> overflows but is not checked prior to using.
The following snippet shows where:
std::optional<IntSize> GraphicsContextGLANGLE::readPixelsImpl(IntRect rect, GCGLenum format, GCGLenum type, GCGLsizei bufSize, uint8_t* rawData, bool readingToPixelBufferObject)
{
auto data = unsafeMakeSpan(rawData, checkedProduct<size_t>(rect.width(), rect.height(), 4)); // CRASH HERE - checkedProduct<size_t> needs to check for overflow before use.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Darin Adler
The check crashing is not a security bug: can’t exploit this if the process crashes. If we need large values to throw exceptions rather than crashing that’s for some other reason.
roberto_rodriguez2
Pull request: https://github.com/WebKit/WebKit/pull/42357
EWS
Committed 292236@main (3ee1b4aadb0f): <https://commits.webkit.org/292236@main>
Reviewed commits have been landed. Closing PR #42357 and removing active labels.