Fix issue in createFidoAttestationStatementFromU2fRegisterResponse

https://bugs.webkit.org/show_bug.cgi?id=272698 rdar://125024119 Reviewed by Charlie Wolfe. Since the x509 length here is user supplied, the addition of the offset could overflow. We fix this issue by using the CheckedArithmetic header. Originally-landed-as: 272448.931@safari-7618-branch (595fc45). rdar://128091513 Canonical link: https://commits.webkit.org/278873@main
WebKit · May 16, 2024 · 616f42b · 616f42b
1 parent 6a341af
commit 616f42b
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/Source/WebCore/Modules/webauthn/fido/U2fResponseConverter.cpp b/Source/WebCore/Modules/webauthn/fido/U2fResponseConverter.cpp
@@ -36,6 +36,7 @@
 #include "FidoConstants.h"
 #include "WebAuthenticationConstants.h"
 #include "WebAuthenticationUtils.h"
+#include <wtf/CheckedArithmetic.h>
 
 namespace fido {
 using namespace WebCore;
@@ -116,7 +117,10 @@ static size_t parseX509Length(const Vector<uint8_t>& u2fData, size_t offset)
 static cbor::CBORValue::MapValue createFidoAttestationStatementFromU2fRegisterResponse(const Vector<uint8_t>& u2fData, size_t offset)
 {
     auto x509Length = parseX509Length(u2fData, offset);
-    if (!x509Length || u2fData.size() < offset + x509Length)
+    auto requiredLength = CheckedSize { x509Length } + offset;
+    if (requiredLength.hasOverflowed())
+        return { };
+    if (!x509Length || u2fData.size() < requiredLength)
         return { };
 
     auto x509 = u2fData.subvector(offset, x509Length);