Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b9c7a1bf56857f208d51df25317dbbf9501cdd21
https://github.com/WebKit/WebKit/commit/b9c7a1bf56857f208d51df25317dbbf9501cdd21
Author: Anthony Tarbinian <[email protected]>
Date: 2026-06-18 (Thu, 18 Jun 2026)
Changed paths:
M Source/WebCore/en.lproj/Localizable.strings
M Source/WebKit/Platform/cocoa/CocoaImage.h
M Source/WebKit/Platform/cocoa/CocoaImage.mm
M Source/WebKit/UIProcess/Extensions/Cocoa/WebExtensionCocoa.mm
M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebExtension.mm
Log Message:
-----------
Prevent untrusted image data from reaching ImageIO codec dispatch via
WebExtension icon loading
https://bugs.webkit.org/show_bug.cgi?id=316858
rdar://177404759
Reviewed by Timothy Hatcher.
If an attacker provides a WebExtension icon, they can control which image
decoder
gets run and can run exotic, untrusted image decoders in the UIProcess.
The
attacker can change the first few magic bytes of an image to trigger a specific
image decoder to be parsed.
This attack surface is exposed via [NSImage initWithData] which reads the first
few
magic bytes of an image and dispatches to a specific image decoder. These image
decoders can be for exotic image types (i.e. PSD, OpenEXR, TIFF) which are not
subject to the same security scrutiny that more common decoders are.
The first part of this fix replaces this call to [NSImage initWithData]
with a three stage approach which:
1. Extracts the type of the image with CGImageSourceGetType (CoreGraphics)
2. Check if the type is allowed in WebCore::isSupportedImageType
3. If so, decode it with CGImageSourceCreateImageAtIndex + [NSImage/UImage
initWithCGImage]
There is an edge case for SVG, as it is a vector format which doesn't go through
CoreGraphics (until it is rasterized). Previous to this patch, SVG was handled
by
[NSImage initWithData] on macOS and iOS had a dedicated
call to [UIImage _imageWithCGSVGDocument].
Now that we are removing the call to [NSImage initWithData], SVG on macOS needs
to be
routed elsewhere. I chose to route it through [_NSSVGImageRep initWithData].
Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtension.mm
Test: Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebExtension.mm
* Source/WebCore/en.lproj/Localizable.strings:
* Source/WebKit/Platform/cocoa/CocoaImage.h:
* Source/WebKit/Platform/cocoa/CocoaImage.mm:
(WebKit::createCocoaImageRestrictedToSupportedTypes):
* Source/WebKit/UIProcess/Extensions/Cocoa/WebExtensionCocoa.mm:
(WebKit::WebExtension::iconForPath):
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebExtension.mm:
(TestWebKitAPI::TEST(WKWebExtension, IconsWithUnsupportedFormatsAreRejected)):
(TestWebKitAPI::TEST(WKWebExtension, SVGIconViaIconsKeyLoads)):
Canonical link:
https://flagged.apple.com:443/proxy?t2=di0b2C3mV1&o=aHR0cHM6Ly9jb21taXRzLndlYmtpdC5vcmcvMzE1NDUzQG1haW4=&emid=78f65349-644e-449c-8c92-ca85001541be&c=11
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications