Bug 289947
| Summary: | [CoreIPC] [GPU] WebCore::SVGFilter expression/effects members are not validated | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Jon Butler <jonbutler> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Jon Butler
`WebCore::SVGFilter` can be serialized over CoreIPC. Among other fields it contains `expression` and `effects` fields.
`expression` is a vector of `WebCore::SVGFilterExpressionTerm` and `effects` a vector of `WebCore::FilterEffect`.
`WebCore::SVGFilterExpressionTerm` refers to `effects` members with the `index` property.
Because `expression` indexes are not validated, an OOB may occur at `m_effects[term.index]`.
However, thanks to the default Vector `OverflowHandler` being `CrashOnOverflow`, the bug cannot be exploited and only makes the GPU process crashing.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Jon Butler
<rdar://problem/142968121>
Jon Butler
Pull request: https://github.com/WebKit/WebKit/pull/42610
EWS
Committed 292483@main (45047bcfe94e): <https://commits.webkit.org/292483@main>
Reviewed commits have been landed. Closing PR #42610 and removing active labels.