289536 – GraphicsContextGLANGLE::readPixelsImpl crashes on checkedProduct<size_t>

RESOLVED FIXED289536

GraphicsContextGLANGLE::readPixelsImpl crashes on checkedProduct<size_t>

https://bugs.webkit.org/show_bug.cgi?id=289536

Summary GraphicsContextGLANGLE::readPixelsImpl crashes on checkedProduct<size_t>

roberto_rodriguez2

Reported 2025-03-11 09:34:14 PDT

rdar://146461356 Description: A crash happens in GraphicsContextGLANGLE::readPixelsImpl() because checkedProduct<size_t> overflows but is not checked prior to using. The following snippet shows where: std::optional<IntSize> GraphicsContextGLANGLE::readPixelsImpl(IntRect rect, GCGLenum format, GCGLenum type, GCGLsizei bufSize, uint8_t* rawData, bool readingToPixelBufferObject) { auto data = unsafeMakeSpan(rawData, checkedProduct<size_t>(rect.width(), rect.height(), 4)); // CRASH HERE - checkedProduct<size_t> needs to check for overflow before use.

Attachments
Add attachment proposed patch, testcase, etc.

Darin Adler

Comment 1 2025-03-11 14:49:36 PDT

The check crashing is not a security bug: can’t exploit this if the process crashes. If we need large values to throw exceptions rather than crashing that’s for some other reason.

roberto_rodriguez2

Comment 2 2025-03-12 16:29:33 PDT

Pull request: https://github.com/WebKit/WebKit/pull/42357

EWS

Comment 3 2025-03-16 08:26:22 PDT

Committed 292236@main (3ee1b4aadb0f): <https://commits.webkit.org/292236@main> Reviewed commits have been landed. Closing PR #42357 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Major

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component ANGLE

Assignee

Nobody

Reported

2025-03-11 09:34 PDT

Modified

2025-03-16 08:26 PDT History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks