289947 – [CoreIPC] [GPU] WebCore::SVGFilter expression/effects members are not validated

RESOLVED FIXED289947

[CoreIPC] [GPU] WebCore::SVGFilter expression/effects members are not validated

https://bugs.webkit.org/show_bug.cgi?id=289947

Summary [CoreIPC] [GPU] WebCore::SVGFilter expression/effects members are not validated

Jon Butler

Reported 2025-03-18 02:50:22 PDT

`WebCore::SVGFilter` can be serialized over CoreIPC. Among other fields it contains `expression` and `effects` fields. `expression` is a vector of `WebCore::SVGFilterExpressionTerm` and `effects` a vector of `WebCore::FilterEffect`. `WebCore::SVGFilterExpressionTerm` refers to `effects` members with the `index` property. Because `expression` indexes are not validated, an OOB may occur at `m_effects[term.index]`. However, thanks to the default Vector `OverflowHandler` being `CrashOnOverflow`, the bug cannot be exploited and only makes the GPU process crashing.

Attachments
Add attachment proposed patch, testcase, etc.

Jon Butler

Comment 1 2025-03-18 02:55:59 PDT

<rdar://problem/142968121>

Jon Butler

Comment 2 2025-03-18 03:13:14 PDT

Pull request: https://github.com/WebKit/WebKit/pull/42610

EWS

Comment 3 2025-03-21 10:00:10 PDT

Committed 292483@main (45047bcfe94e): <https://commits.webkit.org/292483@main> Reviewed commits have been landed. Closing PR #42610 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

Nobody

Reported

2025-03-18 02:50 PDT

Modified

2025-03-21 10:00 PDT History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks