Cherry-pick 272448.931@safari-7618-branch (595fc45). https://bugs.web…

…kit.org/show_bug.cgi?id=272698 Fix issue in createFidoAttestationStatementFromU2fRegisterResponse https://bugs.webkit.org/show_bug.cgi?id=272698 rdar://125024119 Reviewed by Charlie Wolfe. Since the x509 length here is user supplied, the addition of the offset could overflow. We fix this issue by using the CheckedArithmetic header. Canonical link: https://commits.webkit.org/272448.931@safari-7618-branch Canonical link: https://commits.webkit.org/274313.246@webkitglib/2.44
WebKit · May 13, 2024 · a7b9958 · a7b9958
1 parent 7823ed2
commit a7b9958
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/Source/WebCore/Modules/webauthn/fido/U2fResponseConverter.cpp b/Source/WebCore/Modules/webauthn/fido/U2fResponseConverter.cpp
@@ -36,6 +36,7 @@
 #include "FidoConstants.h"
 #include "WebAuthenticationConstants.h"
 #include "WebAuthenticationUtils.h"
+#include <wtf/CheckedArithmetic.h>
 
 namespace fido {
 using namespace WebCore;
@@ -116,7 +117,10 @@ static size_t parseX509Length(const Vector<uint8_t>& u2fData, size_t offset)
 static cbor::CBORValue::MapValue createFidoAttestationStatementFromU2fRegisterResponse(const Vector<uint8_t>& u2fData, size_t offset)
 {
     auto x509Length = parseX509Length(u2fData, offset);
-    if (!x509Length || u2fData.size() < offset + x509Length)
+    auto requiredLength = CheckedSize { x509Length } + offset;
+    if (requiredLength.hasOverflowed())
+        return { };
+    if (!x509Length || u2fData.size() < requiredLength)
         return { };
 
     Vector<uint8_t> x509 { u2fData.data() + offset, x509Length };