Modified: trunk/LayoutTests/imported/w3c/ChangeLog (237216 => 237217)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2018-10-17 11:00:13 UTC (rev 237216)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2018-10-17 11:07:59 UTC (rev 237217)
@@ -1,3 +1,13 @@
+2018-10-17 Charlie Turner <ctur...@igalia.com>
+
+ [EME] Sanity check key ID length in the keyids init data format
+ https://bugs.webkit.org/show_bug.cgi?id=190629
+
+ Reviewed by Xabier Rodriguez-Calvar.
+
+ * web-platform-tests/encrypted-media/clearkey-generate-request-disallowed-input.https-expected.txt:
+ Added new baseline.
+
2018-10-16 Youenn Fablet <you...@apple.com>
Support RTCConfiguration.certificates
Added: trunk/LayoutTests/imported/w3c/web-platform-tests/encrypted-media/clearkey-generate-request-disallowed-input.https-expected.txt (0 => 237217)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/encrypted-media/clearkey-generate-request-disallowed-input.https-expected.txt (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/encrypted-media/clearkey-generate-request-disallowed-input.https-expected.txt 2018-10-17 11:07:59 UTC (rev 237217)
@@ -0,0 +1,12 @@
+
+PASS org.w3.clearkey, temporary, webm, initData longer than 64Kb characters
+PASS org.w3.clearkey, temporary, cenc, initData longer than 64Kb characters
+PASS org.w3.clearkey, temporary, keyids, initData longer than 64Kb characters
+PASS org.w3.clearkey, temporary, cenc, invalid initdata (size too large)
+PASS org.w3.clearkey, temporary, cenc, invalid initdata (not pssh)
+PASS org.w3.clearkey, temporary, cenc, invalid key id length (4 instead of 2)
+PASS org.w3.clearkey, temporary, cenc, invalid data size (32 instead of 16)
+PASS org.w3.clearkey, temporary, cenc, invalid initdata (second box has incorrect size)
+PASS org.w3.clearkey, temporary, keyids, invalid initdata (too short key ID)
+PASS org.w3.clearkey, temporary, keyids, invalid initdata (too long key ID)
+
Modified: trunk/Source/WebCore/ChangeLog (237216 => 237217)
--- trunk/Source/WebCore/ChangeLog 2018-10-17 11:00:13 UTC (rev 237216)
+++ trunk/Source/WebCore/ChangeLog 2018-10-17 11:07:59 UTC (rev 237217)
@@ -1,3 +1,16 @@
+2018-10-17 Charlie Turner <ctur...@igalia.com>
+
+ [EME] Sanity check key ID length in the keyids init data format
+ https://bugs.webkit.org/show_bug.cgi?id=190629
+
+ Reviewed by Xabier Rodriguez-Calvar.
+
+ Covered by web-platform-tests/encrypted-media/clearkey-generate-request-disallowed-input.https.html
+
+ * Modules/encryptedmedia/InitDataRegistry.cpp:
+ (WebCore::extractKeyIDsKeyids): Ensure the decoded key id length
+ is at least 1 byte and no more than 512 bytes.
+
2018-10-16 Chris Dumez <cdu...@apple.com>
Regression(r236795) Check boxes are sometimes checked when they should not be
Modified: trunk/Source/WebCore/Modules/encryptedmedia/InitDataRegistry.cpp (237216 => 237217)
--- trunk/Source/WebCore/Modules/encryptedmedia/InitDataRegistry.cpp 2018-10-17 11:00:13 UTC (rev 237216)
+++ trunk/Source/WebCore/Modules/encryptedmedia/InitDataRegistry.cpp 2018-10-17 11:07:59 UTC (rev 237217)
@@ -45,6 +45,8 @@
// as per spec the size of the ContentEncKeyID is encoded on 16 bits.
// https://matroska.org/technical/specs/index.html#ContentEncKeyID/
const uint32_t kWebMMaxContentEncKeyIDSize = 64 * KB; // 2^16
+ const uint32_t kKeyIdsMinKeyIdSizeInBytes = 1;
+ const uint32_t kKeyIdsMaxKeyIdSizeInBytes = 512;
}
static std::optional<Vector<Ref<SharedBuffer>>> extractKeyIDsKeyids(const SharedBuffer& buffer)
@@ -77,6 +79,9 @@
if (!WTF::base64URLDecode(keyID, { keyIDData }))
continue;
+ if (keyIDData.size() < kKeyIdsMinKeyIdSizeInBytes || keyIDData.size() > kKeyIdsMaxKeyIdSizeInBytes)
+ return std::nullopt;
+
Ref<SharedBuffer> keyIDBuffer = SharedBuffer::create(WTFMove(keyIDData));
keyIDs.append(WTFMove(keyIDBuffer));
}