[webkit-changes] [WebKit/WebKit] c1787c: jsc_fuz/wktr: heap-buffer-overflow in WebCore::We...
youennf
noreply at github.com
Wed Dec 20 08:52:19 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c1787ccc4e9191a754f0ccfd07ad2d2f74a52b78
https://github.com/WebKit/WebKit/commit/c1787ccc4e9191a754f0ccfd07ad2d2f74a52b78
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-12-20 (Wed, 20 Dec 2023)
Changed paths:
A LayoutTests/http/wpt/webcodecs/videoFrame-rect-expected.txt
A LayoutTests/http/wpt/webcodecs/videoFrame-rect.html
M LayoutTests/platform/wpe/TestExpectations
M Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp
Log Message:
-----------
jsc_fuz/wktr: heap-buffer-overflow in WebCore::WebCodecsVideoFrame::copyTo(...) WebCodecsVideoFrame.cpp:488
https://bugs.webkit.org/show_bug.cgi?id=262955
rdar://115835656
Reviewed by Eric Carlson.
We add a check that x and y are positive or zero.
Otherwise, we might still pass the check that the total width or height is below the codedWidth/codedHeight, while it is not.
* LayoutTests/http/wpt/webcodecs/videoFrame-rect-expected.txt: Added.
* LayoutTests/http/wpt/webcodecs/videoFrame-rect.html: Added.
* Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp:
(WebCore::parseVisibleRect):
Originally-landed-as: 267815.265 at safari-7617-branch (aa715fb68472). rdar://119565892
Canonical link: https://commits.webkit.org/272352@main
More information about the webkit-changes
mailing list