Fix issue in createFidoAttestationStatementFromU2fRegisterResponse

https://bugs.webkit.org/show_bug.cgi?id=272698 rdar://125024119 Reviewed by Charlie Wolfe. Since the x509 length here is user supplied, the addition of the offset could overflow. We fix this issue by using the CheckedArithmetic header. Canonical link: https://commits.webkit.org/272448.931@safari-7618-branch
WebKit · Apr 15, 2024 · 595fc45 · 595fc45
1 parent 2c47832
commit 595fc45
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/Source/WebCore/Modules/webauthn/fido/U2fResponseConverter.cpp b/Source/WebCore/Modules/webauthn/fido/U2fResponseConverter.cpp
@@ -36,6 +36,7 @@
 #include "FidoConstants.h"
 #include "WebAuthenticationConstants.h"
 #include "WebAuthenticationUtils.h"
+#include <wtf/CheckedArithmetic.h>
 
 namespace fido {
 using namespace WebCore;
@@ -116,7 +117,10 @@ static size_t parseX509Length(const Vector<uint8_t>& u2fData, size_t offset)
 static cbor::CBORValue::MapValue createFidoAttestationStatementFromU2fRegisterResponse(const Vector<uint8_t>& u2fData, size_t offset)
 {
     auto x509Length = parseX509Length(u2fData, offset);
-    if (!x509Length || u2fData.size() < offset + x509Length)
+    auto requiredLength = CheckedSize { x509Length } + offset;
+    if (requiredLength.hasOverflowed())
+        return { };
+    if (!x509Length || u2fData.size() < requiredLength)
         return { };
 
     Vector<uint8_t> x509 { u2fData.data() + offset, x509Length };