[webkit-changes] [WebKit/WebKit] c1787c: jsc_fuz/wktr: heap-buffer-overflow in WebCore::We...

youennf noreply at github.com
Wed Dec 20 08:52:19 PST 2023


  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c1787ccc4e9191a754f0ccfd07ad2d2f74a52b78
      https://github.com/WebKit/WebKit/commit/c1787ccc4e9191a754f0ccfd07ad2d2f74a52b78
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-12-20 (Wed, 20 Dec 2023)

  Changed paths:
    A LayoutTests/http/wpt/webcodecs/videoFrame-rect-expected.txt
    A LayoutTests/http/wpt/webcodecs/videoFrame-rect.html
    M LayoutTests/platform/wpe/TestExpectations
    M Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp

  Log Message:
  -----------
  jsc_fuz/wktr: heap-buffer-overflow in  WebCore::WebCodecsVideoFrame::copyTo(...) WebCodecsVideoFrame.cpp:488
https://bugs.webkit.org/show_bug.cgi?id=262955
rdar://115835656

Reviewed by Eric Carlson.

We add a check that x and y are positive or zero.
Otherwise, we might still pass the check that the total width or height is below the codedWidth/codedHeight, while it is not.

* LayoutTests/http/wpt/webcodecs/videoFrame-rect-expected.txt: Added.
* LayoutTests/http/wpt/webcodecs/videoFrame-rect.html: Added.
* Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp:
(WebCore::parseVisibleRect):

Originally-landed-as: 267815.265 at safari-7617-branch (aa715fb68472). rdar://119565892
Canonical link: https://commits.webkit.org/272352@main




More information about the webkit-changes mailing list