Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Verify range of ArrayBuffer when deserializing an ArrayBufferView
https://bugs.webkit.org/show_bug.cgi?id=270949 rdar://123906915 Reviewed by Chris Dumez. byteOffset and length come from an untrusted source, and if out of bounds they can lead to arbitrary reads. If they are out of bounds, fail to deserialize. * Source/WebCore/bindings/js/SerializedScriptValue.cpp: (WebCore::CloneDeserializer::readArrayBufferViewImpl): Originally-landed-as: 272448.733@safari-7618-branch (7d7e9c9). rdar://128088960 Canonical link: https://commits.webkit.org/278814@main
- Loading branch information