[webkit-changes] [WebKit/WebKit] 4e5881: Security hardening for SincResampler

Chris Dumez noreply at github.com
Wed Nov 8 15:24:40 PST 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 4e588185b2305d1a7632ba08e25af52248716242
      https://github.com/WebKit/WebKit/commit/4e588185b2305d1a7632ba08e25af52248716242
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-11-08 (Wed, 08 Nov 2023)

  Changed paths:
    M Source/WTF/wtf/Algorithms.h
    M Source/WebCore/platform/audio/AudioArray.h
    M Source/WebCore/platform/audio/AudioBus.cpp
    M Source/WebCore/platform/audio/AudioChannel.h
    M Source/WebCore/platform/audio/MultiChannelResampler.cpp
    M Source/WebCore/platform/audio/MultiChannelResampler.h
    M Source/WebCore/platform/audio/SincResampler.cpp
    M Source/WebCore/platform/audio/SincResampler.h

  Log Message:
  -----------
  Security hardening for SincResampler
https://bugs.webkit.org/show_bug.cgi?id=261317
rdar://105650262

Reviewed by David Kilzer and Darin Adler.

Do security hardening for SincResampler as we have evidence that we're getting
the logic wrong in some cases and doing a heap-buffer overflow WRITE.

This patch updates SincResampler to use `std::span<float>` instead of `float*` and
to leverage new memcpySpans() / memsetSpan() functions
I added to WTF.

This had several benefits:
- Using std::span means we don't lose tracks of our buffer bounds so we can do
  extra bounds checks.
- We benefit from std::span's bounds checks too which are already enabled on trunk
  via `-D_LIBCPP_ENABLE_ASSERTIONS=1`. Those checks apply to subspan() and operator[]
  in particular, both of which are used by SincResampler.

* Source/WTF/WTF.xcodeproj/project.pbxproj:
* Source/WTF/wtf/Algorithms.h:.
(WTF::memcpySpans):
(WTF::memsetSpan):
* Source/WebCore/platform/audio/AudioArray.h:
(WebCore::AudioArray::toSpan):
(WebCore::AudioArray::toSpan const):
* Source/WebCore/platform/audio/AudioBus.cpp:
(WebCore::AudioBus::createBySampleRateConverting):
* Source/WebCore/platform/audio/AudioChannel.h:
* Source/WebCore/platform/audio/MultiChannelResampler.cpp:
(WebCore::MultiChannelResampler::process):
(WebCore::MultiChannelResampler::provideInputForChannel):
* Source/WebCore/platform/audio/MultiChannelResampler.h:
* Source/WebCore/platform/audio/SincResampler.cpp:
(WebCore::SincResampler::SincResampler):
(WebCore::SincResampler::updateRegions):
(WebCore::SincResampler::processBuffer):
(WebCore::SincResampler::process):
* Source/WebCore/platform/audio/SincResampler.h:

Originally-landed-as: 265870.537 at safari-7616-branch (9c1f377498c2). rdar://118088415
Canonical link: https://commits.webkit.org/270409@main

More information about the webkit-changes mailing list