Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a790f14404a5bedb5411f2cd4847b35d642ccf5c
https://github.com/WebKit/WebKit/commit/a790f14404a5bedb5411f2cd4847b35d642ccf5c
Author: Chris Dumez <[email protected]>
Date: 2024-10-30 (Wed, 30 Oct 2024)
Changed paths:
M Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
Log Message:
-----------
[WebAudio] Potential out of bounds read in copyDataFromBusesToJSArray()
https://bugs.webkit.org/show_bug.cgi?id=277639
rdar://132984512
Reviewed by Yusuke Suzuki.
The AudioWorkletProcessor constructs a JSArray of JSFloat32Arrays that is
frozen.
Then it passes the JSArray to arbitrary JavaScript so it can modify the data in
the JSFloat32Arrays. Finally, we memcpy the data from the JSFloat32Arrays to our
audio buses. Because the array is frozen, we expected that the arrays couldn't
change. However, one could set a shared array buffer at a particular index by
modifying Array.prototype. This would render our memcpy logic unsafe since the
size of the array could change on the main thread while we memcpy on the audio
worklet thread.
To address the issue, I now call `getDirectIndex()` instead of `getIndex()` to
ignore values set on the Array prototype and only consider the ones I populated
the array with. I'm also adding validation to make sure the the JSFloat32Arrays
are not shared since I'm constructing unshared ones.
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
(WebCore::getArrayAtIndex):
(WebCore::copyDataFromJSArrayToBuses):
(WebCore::copyDataFromBusesToJSArray):
(WebCore::zeroJSArray):
Originally-landed-as: 280938.195@safari-7619-branch (1bac059fd67b).
rdar://138871121
Canonical link: https://commits.webkit.org/285940@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
