[webkit-changes] [WebKit/WebKit] a790f1: [WebAudio] Potential out of bounds read in copyDat...

[Chris Dumez]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a790f14404a5bedb5411f2cd4847b35d642ccf5c
      https://github.com/WebKit/WebKit/commit/a790f14404a5bedb5411f2cd4847b35d642ccf5c
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-10-30 (Wed, 30 Oct 2024)

  Changed paths:
    M Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp

  Log Message:
  -----------
  [WebAudio] Potential out of bounds read in copyDataFromBusesToJSArray()
https://bugs.webkit.org/show_bug.cgi?id=277639
rdar://132984512

Reviewed by Yusuke Suzuki.

The AudioWorkletProcessor constructs a JSArray of JSFloat32Arrays that is frozen.
Then it passes the JSArray to arbitrary JavaScript so it can modify the data in
the JSFloat32Arrays. Finally, we memcpy the data from the JSFloat32Arrays to our
audio buses. Because the array is frozen, we expected that the arrays couldn't
change. However, one could set a shared array buffer at a particular index by
modifying Array.prototype. This would render our memcpy logic unsafe since the
size of the array could change on the main thread while we memcpy on the audio
worklet thread.

To address the issue, I now call `getDirectIndex()` instead of `getIndex()` to
ignore values set on the Array prototype and only consider the ones I populated
the array with. I'm also adding validation to make sure the the JSFloat32Arrays
are not shared since I'm constructing unshared ones.

* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
(WebCore::getArrayAtIndex):
(WebCore::copyDataFromJSArrayToBuses):
(WebCore::copyDataFromBusesToJSArray):
(WebCore::zeroJSArray):

Originally-landed-as: 280938.195 at safari-7619-branch (1bac059fd67b). rdar://138871121
Canonical link: https://commits.webkit.org/285940@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications