[Webkit-unassigned] [Bug 273435] PDF.js contains binary code

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 1 14:27:22 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=273435

--- Comment #4 from Michael Catanzaro <mcatanzaro at redhat.com> ---
So after talking with one of the PDF.js developers, we won't need to use gulp. With some effort, we can build the binaries as part of the CMake/XCode build, depending only on Emscripten:

 * https://github.com/mozilla/pdf.js.quickjs/blob/main/compile.sh
 * https://github.com/mozilla/pdf.js.openjpeg/blob/main/compile.sh

Unfortunately, if we depend on Emscripten then the PDF.js support will surely wind up disabled in places we care about, like Fedora (no Emscripten package) and possibly also Epiphany Tech Preview (not sure about adding it to GNOME and WebKit SDKs, and definitely won't want to bundle it in Epiphany).

Right now the most likely plan is to (a) explore whether we can run JS in a fresh/isolated JSContext rather than using quick.js, and (b) manually downgrade to the previous version of PDF.js's JPEG 2000 decoder or just sabotage the JPEG 2000 support.

PDF.js contains stubs in https://github.com/mozilla/pdf.js/blob/33732ff2cba88e262dcd542b97a237fe8b9bbe35/src/pdf.sandbox.external.js that allow the quick.js sandbox to be replaced by a custom sandbox. Firefox does so in https://searchfox.org/mozilla-central/rev/b41bb321fe4bd7d03926083698ac498ebec0accf/toolkit/components/pdfjs/content/PdfSandbox.sys.mjs. We can use user scripts to register a custom JS function that would only be accessible to PDF.js. PDFDocument.cpp would then run the script, equivalent to Services.scriptloader.loadSubScript. We'd also need to implement exportValueToSandbox, importValueFromSandbox, and createErrorForSandbox. This will probably require PDFDocument to keep a map of JSContexts, since each PDF document could have multiple JS sandboxes. I'm not sure if this would actually work or if I'm underestimating the difficulty, but it sounds doable?

Additional context:

 * The purpose of the sandbox is to allow executing PDF JS, i.e. untrusted JS embedded in PDF documents.
 * Unfortunately a Firefox developer encountered a PDF with JPEG 2000 image in the wild, and the previous decoder didn't handle it correctly.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240501/583cb909/attachment.htm>

More information about the webkit-unassigned mailing list