Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 77c68ec71672e3060e7f251645bc1429377ae4df
https://github.com/WebKit/WebKit/commit/77c68ec71672e3060e7f251645bc1429377ae4df
Author: Jean-Yves Avenard <[email protected]>
Date: 2026-03-18 (Wed, 18 Mar 2026)
Changed paths:
M Source/WebCore/WebCore.xcodeproj/project.pbxproj
M Source/WebCore/platform/graphics/cocoa/CMUtilities.mm
M Source/WebCore/platform/graphics/iso/ISOSchemeInformationBox.cpp
M Source/WebCore/platform/graphics/iso/ISOTrackEncryptionBox.cpp
M Source/WebCore/platform/graphics/iso/ISOTrackEncryptionBox.h
M Tools/TestWebKitAPI/Tests/WebCore/cocoa/CoreMediaUtilities.mm
Log Message:
-----------
com.apple.WebKit.WebContent at WebCore: unsigned int
JSC::DataView::get<unsigned int>
https://bugs.webkit.org/show_bug.cgi?id=310089
rdar://171573373
Reviewed by Youenn Fablet.
getKeyIDs parsed a CommonEncryptionTrackEncryptionBox CMFormatDescription
extension by wrapping the raw CFDataGetBytePtr() result in a
JSC::ArrayBufferContents
and reading it via JSC::DataView.
0This caused an EXC_BAD_ACCESS (SIGBUS / KERN_PROTECTION_FAILURE) in WebContent
processes.
The root cause is JSC's Gigacage security mitigation: DataView::baseAddress()
routes through CagedPtr::getMayBeNull() → Gigacage::caged(), which computes:
result = gigacageBasePtr + (ptr & gigacageMask)
CFData memory is allocated outside the Gigacage, so after masking the result
falls in the Gigacage's reserved-but-inaccessible virtual address region.
Any read from that address crashes with SIGBUS.
In a WebContent process JSC is always initialised, so the Gigacage is always
active;
When the AVStreamDataParser was run in the GPUP, the gigacage wasn't active
which prevented this bug from occurring.
Fix: avoid involving JSC at all.
ISOTrackEncryptionBox gains a new parseWithoutTypeAndSize(std::span<const
uint8_t>)
overload that uses BitReader instead of JSC::DataView. getKeyIDs is updated to
use span instead,
eliminating the ArrayBuffer, DataView, and their associated SharedTask
destructor trampoline entirely.
Tests: Tools/TestWebKitAPI/Tests/WebCore/cocoa/CoreMediaUtilities.mm adds four
API tests:
* Source/WebCore/WebCore.xcodeproj/project.pbxproj:
* Source/WebCore/platform/graphics/cocoa/CMUtilities.mm:
(WebCore::getKeyIDs):
* Source/WebCore/platform/graphics/iso/ISOSchemeInformationBox.cpp:
(WebCore::ISOSchemeInformationBox::parse):
* Source/WebCore/platform/graphics/iso/ISOTrackEncryptionBox.cpp:
(WebCore::ISOTrackEncryptionBox::parseWithoutTypeAndSize):
* Source/WebCore/platform/graphics/iso/ISOTrackEncryptionBox.h:
* Tools/TestWebKitAPI/Tests/WebCore/cocoa/CoreMediaUtilities.mm:
(TestWebKitAPI::makeFormatDescriptionWithTencData):
(TestWebKitAPI::TEST(CMUtilities, GetKeyIDsEmptyTencData)):
(TestWebKitAPI::TEST(CMUtilities, GetKeyIDsTruncatedTencData)):
(TestWebKitAPI::TEST(CMUtilities, GetKeyIDsValidTencData)):
(TestWebKitAPI::TEST(CMUtilities, GetKeyIDsWithActiveGigacage)):
Canonical link: https://commits.webkit.org/309465@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
