Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 1c9e3e8e8bcdd1531787cbf782fbf8020f3340d6
https://github.com/WebKit/WebKit/commit/1c9e3e8e8bcdd1531787cbf782fbf8020f3340d6
Author: Chris Dumez <[email protected]>
Date: 2026-06-03 (Wed, 03 Jun 2026)
Changed paths:
M Source/WebCore/platform/graphics/MIMESniffer.cpp
M Tools/TestWebKitAPI/Tests/WebCore/MIMESniffer.cpp
Log Message:
-----------
Out-of-bounds read in WebM MIME sniffer when iter reaches length()
https://bugs.webkit.org/show_bug.cgi?id=316181
Reviewed by Jean-Yves Avenard.
In hasSignatureForWebM(), the inner skip-NUL loop reads sequence[iter]
before testing iter < length:
```
while (!sequence[iter] && iter < length)
iter++;
```
After the preceding parseWebMVint() call and the iter += numberSize
update, iter can equal length, in which case the left operand of && is
evaluated first and reads one byte past the end of the span. A 7-byte
input crafted as EBML magic + 0x42 0x82 + a 1-byte vint reaches this
code path. WebKit builds with hardened libc++, so std::span's bounds
check turns this into a safe crash on every build, but it's still a
reachable crash on attacker-controlled input.
Swap the operands so the bounds check short-circuits the dereference,
and add an API test that exercises the truncated input.
Test: MIMESniffer.WebMSnifferDoesNotReadPastEnd
* Source/WebCore/platform/graphics/MIMESniffer.cpp:
(WebCore::MIMESniffer::hasSignatureForWebM):
* Tools/TestWebKitAPI/Tests/WebCore/MIMESniffer.cpp:
(TestWebKitAPI::TEST(MIMESniffer, WebMSnifferDoesNotReadPastEnd)):
Canonical link: https://commits.webkit.org/314498@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
