[Webkit-unassigned] [Bug 290201] New: [Fuzz Blocker][CoreIPC][GPU] WTF::Vector initial capacity isn't validated in RemoteGraphicsContextGL

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Mar 21 12:21:06 PDT 2025 

https://bugs.webkit.org/show_bug.cgi?id=290201

            Bug ID: 290201
           Summary: [Fuzz Blocker][CoreIPC][GPU] WTF::Vector initial
                    capacity isn't validated in RemoteGraphicsContextGL
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: InRadar
          Severity: Major
          Priority: P1
         Component: WebGL
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: roberto_rodriguez2 at apple.com
                CC: djg at apple.com, kbr at google.com, kkinnunen at apple.com

rdar://146284403
(Radar originator: Jérémie Boutoille)

In `Source/WebKit/GPUProcess/graphics/RemoteGraphicsContextGLFunctionsGenerated.h`, there is multiple time this code pattern:

```
    void getFloatv(uint32_t pname, size_t valueSize, CompletionHandler<void(std::span<const float>)>&& completionHandler)
    {
        assertIsCurrent(workQueue());
        Vector<GCGLfloat, 16> value(valueSize, 0);
        protectedContext()->getFloatv(pname, value);
        completionHandler(spanReinterpretCast<const float>(value.span()));
    }
```

`valueSize` is used without validation as the initial WTF::Vector capacity. This means that if a big value is provided, a crash occurs. It should be validated like this:

```
    void getFloatv(uint32_t pname, size_t valueSize, CompletionHandler<void(std::span<const float>)>&& completionHandler)
    {
        assertIsCurrent(workQueue());
        if(!WTF::isValidCapacityForVector<GCGLfloat>(valueSize)) { return; }
        Vector<GCGLfloat, 16> value(valueSize, 0);
        protectedContext()->getFloatv(pname, value);
        completionHandler(spanReinterpretCast<const float>(value.span()));
    }
```

This is not a security issue, but it’s currently blocking our fuzzer.

To reproduce:
1. Build WebKit with ASan enabled.
2. Run the command: ./WebKitTestRunner --internal-feature IPCTestingAPIEnabled --no-timeout gl.html
3. You should observe that the process crashes.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20250321/a51a359c/attachment.htm>

More information about the webkit-unassigned mailing list