[webkit-changes] [WebKit/WebKit] c195e9: createVideoInfoFromAVCC() forms a span past the en...

Thu, 04 Jun 2026 19:24:38 -0700 


Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c195e933ce50176cc8364190abe293b5a859836c
      
https://github.com/WebKit/WebKit/commit/c195e933ce50176cc8364190abe293b5a859836c
  Author: Chris Dumez <[email protected]>
  Date:   2026-06-04 (Thu, 04 Jun 2026)

  Changed paths:
    M Source/WebCore/WebCore.xcodeproj/project.pbxproj
    M Source/WebCore/platform/graphics/cocoa/H264UtilitiesCocoa.mm
    M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
    A Tools/TestWebKitAPI/Tests/WebCore/cocoa/H264UtilitiesCocoaTests.mm

  Log Message:
  -----------
  createVideoInfoFromAVCC() forms a span past the end of AVCC buffer for 
malformed input
https://bugs.webkit.org/show_bug.cgi?id=316276

Reviewed by Jean-Yves Avenard.

The SPS and PPS loops in createVideoInfoFromAVCC() each read a 16-bit
NAL unit size from the AVCC blob and then form a span over *size bytes
starting at the NAL header byte, before validating that *size
bytes
actually remain in the buffer. The bounds check via BitReader::skipBytes()
happens immediately afterward and bails out, but the std::span::subspan()
call and the subsequent Vector<uint8_t> copy have already run by then.

For a 9-byte AVCC blob crafted so the SPS size field is 0xFFFF (only
the 1-byte NAL header actually follows), subspan(8, 65535) violates
the C++ precondition that Offset + Count <= size().

This is not exploitable in shipping WebKit: builds enable hardened
libc++, so the precondition violation aborts the process at the
subspan() call before any out-of-bounds memory is touched. The
observable effect is a clean WebContent crash on malformed AVCC
embedded in a WebM container's codec_private. There is no information
leak and no memory corruption. Without libc++ hardening the same
construct would be undefined behavior and could read up to 64 KB
past the buffer during the Vector copy, but that configuration is
not shipped.

Move skipBytes() above
the subspan() call in both the SPS and PPS
loops so the buffer is proven to contain *size bytes before we form
a span over them. Adjust the offset from byteOffset() - 1 to
byteOffset() - *size to account for skipBytes() now advancing the
reader past the entire NAL unit.

Test: TestWebKitAPI.H264UtilitiesCocoa.MalformedAVCCWithTruncatedSPSDoesNotCrash
      TestWebKitAPI.H264UtilitiesCocoa.MalformedAVCCWithTruncatedPPSDoesNotCrash

* Source/WebCore/WebCore.xcodeproj/project.pbxproj:
* Source/WebCore/platform/graphics/cocoa/H264UtilitiesCocoa.mm:
(WebCore::createVideoInfoFromAVCC):
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/WebCore/cocoa/H264UtilitiesCocoaTests.mm: Added.
(TestWebKitAPI::TEST(H264UtilitiesCocoa, 
MalformedAVCCWithTruncatedSPSDoesNotCrash)):
(TestWebKitAPI::TEST(H264UtilitiesCocoa, 
MalformedAVCCWithTruncatedPPSDoesNotCrash)):

Canonical link:
https://flagged.apple.com:443/proxy?t2=DA1P9V2xJ9&o=aHR0cHM6Ly9jb21taXRzLndlYmtpdC5vcmcvMzE0NjA1QG1haW4=&emid=6d2ef77b-a7eb-4349-b759-21c66b1d2610&c=11



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to