Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b9c7a1bf56857f208d51df25317dbbf9501cdd21
      
https://github.com/WebKit/WebKit/commit/b9c7a1bf56857f208d51df25317dbbf9501cdd21
  Author: Anthony Tarbinian <[email protected]>
  Date:   2026-06-18 (Thu, 18 Jun 2026)

  Changed paths:
    M Source/WebCore/en.lproj/Localizable.strings
    M Source/WebKit/Platform/cocoa/CocoaImage.h
    M Source/WebKit/Platform/cocoa/CocoaImage.mm
    M Source/WebKit/UIProcess/Extensions/Cocoa/WebExtensionCocoa.mm
    M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebExtension.mm

  Log Message:
  -----------
  Prevent untrusted image data from reaching ImageIO codec dispatch via 
WebExtension icon loading
https://bugs.webkit.org/show_bug.cgi?id=316858
rdar://177404759

Reviewed by Timothy Hatcher.

If an attacker provides a WebExtension icon, they can control which image 
decoder
gets run and can run exotic, untrusted image decoders in the UIProcess.
The
attacker can change the first few magic bytes of an image to trigger a specific
image decoder to be parsed.

This attack surface is exposed via [NSImage initWithData] which reads the first 
few
magic bytes of an image and dispatches to a specific image decoder. These image
decoders can be for exotic image types (i.e. PSD, OpenEXR, TIFF) which are not
subject to the same security scrutiny that more common decoders are.

The first part of this fix replaces this call to [NSImage initWithData]
with a three stage approach which:
1. Extracts the type of the image with CGImageSourceGetType (CoreGraphics)
2. Check if the type is allowed in WebCore::isSupportedImageType
3. If so, decode it with CGImageSourceCreateImageAtIndex + [NSImage/UImage 
initWithCGImage]

There is an edge case for SVG, as it is a vector format which doesn't go through
CoreGraphics (until it is rasterized). Previous to this patch, SVG was handled 
by
[NSImage initWithData] on macOS and iOS had a dedicated
call to [UIImage _imageWithCGSVGDocument].
Now that we are removing the call to [NSImage initWithData], SVG on macOS needs 
to be
routed elsewhere. I chose to route it through [_NSSVGImageRep initWithData].

Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtension.mm

Test: Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebExtension.mm
* Source/WebCore/en.lproj/Localizable.strings:
* Source/WebKit/Platform/cocoa/CocoaImage.h:
* Source/WebKit/Platform/cocoa/CocoaImage.mm:
(WebKit::createCocoaImageRestrictedToSupportedTypes):
* Source/WebKit/UIProcess/Extensions/Cocoa/WebExtensionCocoa.mm:
(WebKit::WebExtension::iconForPath):
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebExtension.mm:
(TestWebKitAPI::TEST(WKWebExtension, IconsWithUnsupportedFormatsAreRejected)):
(TestWebKitAPI::TEST(WKWebExtension, SVGIconViaIconsKeyLoads)):

Canonical link:
https://flagged.apple.com:443/proxy?t2=di0b2C3mV1&o=aHR0cHM6Ly9jb21taXRzLndlYmtpdC5vcmcvMzE1NDUzQG1haW4=&emid=78f65349-644e-449c-8c92-ca85001541be&c=11



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to