Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0fc6efb01ba8e276319400fc2831509e2d76cadf
https://github.com/WebKit/WebKit/commit/0fc6efb01ba8e276319400fc2831509e2d76cadf
Author: Abrar Rahman Protyasha <[email protected]>
Date: 2025-12-04 (Thu, 04 Dec 2025)
Changed paths:
M Source/WebKit/WebProcess/Plugins/PDF/PDFPluginBase.mm
Log Message:
-----------
Web process crashes under PDFPluginBase::getByteRanges() during background
data preload
https://bugs.webkit.org/show_bug.cgi?id=303543
rdar://130266446
Reviewed by Wenson Hsieh.
The WCP is crashing under PDFPluginBase::getByteRanges() when PDFKit
requests byte ranges during preloading. Code inspection suggests subspan
creation can trigger UB (like crashing) if we integer overflow in the
range validation logic, where range.location + range.length can overflow
and incorrectly pass the bounds check, allowing an OOB read at line 451.
This patch applies the same hardening fix from 297764@main to
getByteRanges(). We adopt isSumSmallerThanOrEqual() to safely validate
range extents. Additionally, even when haveStreamedDataForRange()
returns true, we now verify that the range is within buffer bounds
before attempting to create the subspan.
* Source/WebKit/WebProcess/Plugins/PDF/PDFPluginBase.mm:
(WebKit::PDFPluginBase::getByteRanges const):
Canonical link: https://commits.webkit.org/303958@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
