Bug 308712

I found this via Claude Code Security. Please don't credit me personally. SUMMARY In the binary key deserialization path of decodeKey() at Source/WebCore/Modules/indexeddb/server/IDBSerialization.cpp:354, Vector<uint8_t> dataVector(data) copies the entire remaining span into the vector, not just the declared size bytes. For compound array keys, the first binary sub-key's value includes the raw serialized bytes of all subsequent sub-keys. DETAILS At IDBSerialization.cpp:342-358: case SIDBKeyType::Binary: { uint64_t size64; if (!readLittleEndian(data, size64)) return false; if (data.size() < size64) return false; if (size64 > std::numeric_limits<size_t>::max()) return false; size_t size = static_cast<size_t>(size64); Vector<uint8_t> dataVector(data); // BUG: copies ALL remaining bytes skip(data, size); // only advances by size bytes result.setBinaryValue(ThreadSafeDataBuffer::create(WTF::move(dataVector))); return true; } The span cursor is correctly advanced by skip(data, size) for subsequent parsing, but dataVector already contains all trailing serialized data. For compound array keys [binaryKey1, binaryKey2], binaryKey1's value includes the raw serialized form of binaryKey2. Introduced by: https://github.com/WebKit/WebKit/commit/2c844da0386ff67d69fe0982a84ef6df8533571b SUGGESTED FIX Change line 354 from Vector<uint8_t> dataVector(data) to Vector<uint8_t> dataVector(data.first(size)).