Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 5bd79f324bc5a3aaf8d101087e277b5c611dfbf7 https://github.com/WebKit/WebKit/commit/5bd79f324bc5a3aaf8d101087e277b5c611dfbf7 Author: Jer Noble <jer.no...@apple.com> Date: 2023-10-19 (Thu, 19 Oct 2023)
Changed paths: M Source/WebCore/platform/graphics/iso/ISOBox.cpp Log Message: ----------- Crash in Vector::expandCapacity; WebCore::ISOFairPlayStreamingKeyContextBox::parse() https://bugs.webkit.org/show_bug.cgi?id=258712 rdar://111171940 Reviewed by Youenn Fablet. In a number of cases, malformed or malicious boxes claim to have a size much larger than the memory passed to the parser. Cap the m_size parameter to the remaining size of the memory buffer to avoid situations where we attempt to create a vector big enough to hold MAX_INT entries. * Source/WebCore/platform/graphics/iso/ISOBox.cpp: (WebCore::ISOBox::peekBox): (WebCore::ISOBox::parse): Canonical link: https://commits.webkit.org/265870.2@safari-7616-branch Canonical link: https://commits.webkit.org/269539@main _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes