[Webkit-unassigned] [Bug 239154] [CoreIPC][WebGL] Heap Buffer Overflow from CoreIPC WebGL MultiDraw* due to discarded firsts/counts length in favour of attacker controlled drawcount
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Apr 18 16:28:43 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=239154
--- Comment #11 from Kenneth Russell <kbr at google.com> ---
Comment on attachment 457590
--> https://bugs.webkit.org/attachment.cgi?id=457590
Patch
Would it be more straightforward to send the spans over IPC as specified by the web app, and verify that their size is >= drawcount in GraphicsContextGLANGLE in the GPU process?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220418/7a80d010/attachment-0001.htm>
More information about the webkit-unassigned
mailing list