[webkit-changes] [WebKit/WebKit] e85dcb: Fix out-of-bounds read in HTMLMetaCharsetParser.cpp

Mon, 08 Dec 2025 17:26:02 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: e85dcb7a35a724d209e896b6a6fb4be9bd97fe3e
      
https://github.com/WebKit/WebKit/commit/e85dcb7a35a724d209e896b6a6fb4be9bd97fe3e
  Author: Roberto Rodriguez <[email protected]>
  Date:   2025-12-08 (Mon, 08 Dec 2025)

  Changed paths:
    A LayoutTests/fast/encoding/meta-charset-whitespace-only-expected.txt
    A LayoutTests/fast/encoding/meta-charset-whitespace-only.html
    A LayoutTests/fast/encoding/meta-charset-whitespace-variations-expected.txt
    A LayoutTests/fast/encoding/meta-charset-whitespace-variations.html
    M Source/WebCore/html/parser/HTMLMetaCharsetParser.cpp

  Log Message:
  -----------
  Fix out-of-bounds read in HTMLMetaCharsetParser.cpp
https://bugs.webkit.org/show_bug.cgi?id=303520
rdar://163574708

Reviewed by David Kilzer.

A potential out-of-bounds read vulnerability in HTMLMetaCharsetParser.cpp 
caused a crash
when processing malformed meta tags containing "charset" followed by whitespace
(e.g., <meta content="charset   ">). The extractCharset() function skipped 
whitespace
after finding "charset" but failed to verify the position was still within 
bounds before
accessing the next character to check for '=', triggering a hardening check 
failure due
to an out of range index.

The fix adds a simple bounds check (if (pos >= length) break;) after the 
whitespace-skipping
loop to prevent the attempted out-of-bounds access.

Tests: fast/encoding/meta-charset-whitespace-only.html
       fast/encoding/meta-charset-whitespace-variations.html

* LayoutTests/fast/encoding/meta-charset-whitespace-only-expected.txt: Added.
* LayoutTests/fast/encoding/meta-charset-whitespace-only.html: Added.
* LayoutTests/fast/encoding/meta-charset-whitespace-variations-expected.txt: 
Added.
* LayoutTests/fast/encoding/meta-charset-whitespace-variations.html: Added.
* Source/WebCore/html/parser/HTMLMetaCharsetParser.cpp:
(WebCore::extractCharset):

Originally-landed-as: 301765.353@safari-7623-branch (0bdd687a5d22). 
rdar://163574708
Canonical link: https://commits.webkit.org/304132@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to