RESOLVED FIXED 290201
[Fuzz Blocker][CoreIPC][GPU] WTF::Vector initial capacity isn't validated in RemoteGraphicsContextGL 
https://bugs.webkit.org/show_bug.cgi?id=290201
Summary [Fuzz Blocker][CoreIPC][GPU] WTF::Vector initial capacity isn't validated in ...
roberto_rodriguez2
Reported 2025-03-21 12:21:06 PDT
rdar://146284403 (Radar originator: Jérémie Boutoille) In `Source/WebKit/GPUProcess/graphics/RemoteGraphicsContextGLFunctionsGenerated.h`, there is multiple time this code pattern: ``` void getFloatv(uint32_t pname, size_t valueSize, CompletionHandler<void(std::span<const float>)>&& completionHandler) { assertIsCurrent(workQueue()); Vector<GCGLfloat, 16> value(valueSize, 0); protectedContext()->getFloatv(pname, value); completionHandler(spanReinterpretCast<const float>(value.span())); } ``` `valueSize` is used without validation as the initial WTF::Vector capacity. This means that if a big value is provided, a crash occurs. It should be validated like this: ``` void getFloatv(uint32_t pname, size_t valueSize, CompletionHandler<void(std::span<const float>)>&& completionHandler) { assertIsCurrent(workQueue()); if(!WTF::isValidCapacityForVector<GCGLfloat>(valueSize)) { return; } Vector<GCGLfloat, 16> value(valueSize, 0); protectedContext()->getFloatv(pname, value); completionHandler(spanReinterpretCast<const float>(value.span())); } ``` This is not a security issue, but it’s currently blocking our fuzzer. To reproduce: 1. Build WebKit with ASan enabled. 2. Run the command: ./WebKitTestRunner --internal-feature IPCTestingAPIEnabled --no-timeout gl.html 3. You should observe that the process crashes.
Attachments
Input for WebKitTestRunner (2.74 KB, text/html)
2025-03-21 12:21 PDT, roberto_rodriguez2 		no flags
Details
Support javascript file (56.37 KB, application/x-javascript)
2025-03-21 12:22 PDT, roberto_rodriguez2 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
roberto_rodriguez2
Comment 1 2025-03-21 12:21:46 PDT
Created attachment 474678 [details] Input for WebKitTestRunner
roberto_rodriguez2
Comment 2 2025-03-21 12:22:35 PDT
Created attachment 474679 [details] Support javascript file
roberto_rodriguez2
Comment 3 2025-03-21 12:25:44 PDT
Pull request: https://github.com/WebKit/WebKit/pull/42831
EWS
Comment 4 2025-03-28 00:18:10 PDT
Committed 292806@main (634d3c001793): <https://commits.webkit.org/292806@main> Reviewed commits have been landed. Closing PR #42831 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.