Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a6cd3caa40b3dd0b15924d8e7027be03f322c101
https://github.com/WebKit/WebKit/commit/a6cd3caa40b3dd0b15924d8e7027be03f322c101
Author: Chris Dumez <[email protected]>
Date: 2026-06-04 (Thu, 04 Jun 2026)
Changed paths:
M Source/WebCore/history/BackForwardController.cpp
M Source/WebKit/UIProcess/WebBackForwardList.cpp
M Source/WebKit/UIProcess/WebBackForwardList.h
Log Message:
-----------
Fix signed integer overflow (UB) in back/forward list index handling
https://bugs.webkit.org/show_bug.cgi?id=312851
rdar://175017079
Reviewed by Charlie Wolfe.
When index/distance is INT_MIN, the expression `static_cast<unsigned>(-index)`
negates
in signed arithmetic before casting, which is undefined behavior. A compromised
WebProcess
can send INT32_MIN via the BackForwardItemAtIndex IPC message, triggering UB in
the UIProcess.
Add a MESSAGE_CHECK in the IPC handler to reject INT_MIN, and as defense in
depth, fix the
arithmetic in both WebBackForwardList::itemAtIndex() and
BackForwardController::canGoBackOrForward()
to cast to unsigned before negating (`-static_cast<unsigned>(index)`), which is
well-defined
modular arithmetic.
* Source/WebCore/history/BackForwardController.cpp:
(WebCore::BackForwardController::canGoBackOrForward const):
* Source/WebKit/UIProcess/WebBackForwardList.cpp:
(WebKit::WebBackForwardList::itemAtDeltaFromCurrentIndex const):
(WebKit::WebBackForwardList::backForwardItemAtIndexForWebContent):
* Source/WebKit/UIProcess/WebBackForwardList.h:
Originally-landed-as: 305413.707@safari-7624-branch (895026bc5a49).
rdar://175017079
Canonical link: https://commits.webkit.org/314581@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
