[webkit-changes] [WebKit/WebKit] c0bd74: Web Audio WaveShaperNode: NaN input produces out-o...

Wed, 21 Jan 2026 12:40:21 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c0bd74757c6e571109d7d4bbb89de17e56bc5705
      
https://github.com/WebKit/WebKit/commit/c0bd74757c6e571109d7d4bbb89de17e56bc5705
  Author: Phinehas Fuachie <[email protected]>
  Date:   2026-01-21 (Wed, 21 Jan 2026)

  Changed paths:
    A 
LayoutTests/webaudio/WaveShaper/waveshaper-nan-infinity-handling-expected.txt
    A LayoutTests/webaudio/WaveShaper/waveshaper-nan-infinity-handling.html
    M Source/WebCore/Modules/webaudio/WaveShaperDSPKernel.cpp
    M Source/WebCore/Modules/webaudio/WaveShaperDSPKernel.h
    M Source/WebCore/testing/Internals.cpp
    M Source/WebCore/testing/Internals.h
    M Source/WebCore/testing/Internals.idl

  Log Message:
  -----------
  Web Audio WaveShaperNode: NaN input produces out-of-bounds read in 
processCurve()
https://bugs.webkit.org/show_bug.cgi?id=305612
rdar://164364161

Reviewed by Youenn Fablet.

NaN input samples bypass range checks since NaN comparisons always return 
false, causing
std::floor(NaN) to produce NaN which converts to a garbage unsigned index, 
resulting in an
out-of-bounds read.

Fix by guarding non-finite inputs and outputting silence (0.0f). Also clamp 
valid inputs to [-1, 1]
for additional safety.

The static helper processCurveWithData is introduced to allow unit testing the 
algorithm in
isolation without needing to instantiate a WaveShaperProcessor.

* 
LayoutTests/webaudio/WaveShaper/waveshaper-nan-infinity-handling-expected.txt: 
Added.
* LayoutTests/webaudio/WaveShaper/waveshaper-nan-infinity-handling.html: Added.
* Source/WebCore/Modules/webaudio/WaveShaperDSPKernel.cpp:
(WebCore::WaveShaperDSPKernel::processCurve):
(WebCore::WaveShaperDSPKernel::processCurveWithData):
* Source/WebCore/Modules/webaudio/WaveShaperDSPKernel.h:
* Source/WebCore/testing/Internals.cpp:
(WebCore::Internals::waveShaperProcessCurveWithData):
* Source/WebCore/testing/Internals.h:
* Source/WebCore/testing/Internals.idl:

Canonical link: https://commits.webkit.org/305955@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to