Verify range of ArrayBuffer when deserializing an ArrayBufferView

https://bugs.webkit.org/show_bug.cgi?id=270949 rdar://123906915 Reviewed by Chris Dumez. byteOffset and length come from an untrusted source, and if out of bounds they can lead to arbitrary reads. If they are out of bounds, fail to deserialize. * Source/WebCore/bindings/js/SerializedScriptValue.cpp: (WebCore::CloneDeserializer::readArrayBufferViewImpl): Originally-landed-as: 272448.733@safari-7618-branch (7d7e9c9). rdar://128088960 Canonical link: https://commits.webkit.org/278814@main
WebKit · May 15, 2024 · 7fc383d · 7fc383d
1 parent cf7cd9d
commit 7fc383d
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/Source/WebCore/bindings/js/SerializedScriptValue.cpp b/Source/WebCore/bindings/js/SerializedScriptValue.cpp
@@ -3763,6 +3763,9 @@ class CloneDeserializer : public CloneBase {
             return true;
         };
 
+        if (!ArrayBufferView::verifySubRangeLength(arrayBuffer->byteLength(), byteOffset, length.value_or(0), 1))
+            return false;
+
         switch (arrayBufferViewSubtag) {
         case DataViewTag:
             return makeArrayBufferView(DataView::wrappedAs(arrayBuffer.releaseNonNull(), byteOffset, length).get());