[webkit-changes] [WebKit/WebKit] d3de21: Add bounds checks to platformImportSpki and platfo...

Fri, 29 May 2026 09:40:40 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: d3de21e23bc8d8443a47227ed0027e7c92b566db
      
https://github.com/WebKit/WebKit/commit/d3de21e23bc8d8443a47227ed0027e7c92b566db
  Author: Pascoe <[email protected]>
  Date:   2026-05-29 (Fri, 29 May 2026)

  Changed paths:
    A LayoutTests/crypto/subtle/ec-import-pkcs8-empty-key-data-expected.txt
    A LayoutTests/crypto/subtle/ec-import-pkcs8-empty-key-data.html
    A LayoutTests/crypto/subtle/ec-import-pkcs8-invalid-length-expected.txt
    A LayoutTests/crypto/subtle/ec-import-pkcs8-invalid-length.html
    A LayoutTests/crypto/subtle/ec-import-pkcs8-truncated-key-expected.txt
    A LayoutTests/crypto/subtle/ec-import-pkcs8-truncated-key.html
    A LayoutTests/crypto/subtle/ec-import-spki-empty-key-data-expected.txt
    A LayoutTests/crypto/subtle/ec-import-spki-empty-key-data.html
    A LayoutTests/crypto/subtle/ec-import-spki-invalid-length-expected.txt
    A LayoutTests/crypto/subtle/ec-import-spki-invalid-length.html
    A LayoutTests/crypto/subtle/ec-import-spki-truncated-key-expected.txt
    A LayoutTests/crypto/subtle/ec-import-spki-truncated-key.html
    M LayoutTests/crypto/subtle/rsa-import-pkcs8-empty-key-data-expected.txt
    M LayoutTests/crypto/subtle/rsa-import-pkcs8-empty-key-data.html
    M LayoutTests/crypto/subtle/rsa-import-pkcs8-invalid-length-expected.txt
    M LayoutTests/crypto/subtle/rsa-import-pkcs8-invalid-length.html
    M LayoutTests/crypto/subtle/rsa-import-pkcs8-truncated-key-expected.txt
    M LayoutTests/crypto/subtle/rsa-import-pkcs8-truncated-key.html
    M LayoutTests/crypto/subtle/rsa-import-spki-empty-key-data-expected.txt
    M LayoutTests/crypto/subtle/rsa-import-spki-empty-key-data.html
    M LayoutTests/crypto/subtle/rsa-import-spki-invalid-length-expected.txt
    M LayoutTests/crypto/subtle/rsa-import-spki-invalid-length.html
    M LayoutTests/crypto/subtle/rsa-import-spki-truncated-key-expected.txt
    M LayoutTests/crypto/subtle/rsa-import-spki-truncated-key.html
    M Source/WebCore/crypto/cocoa/CryptoKeyECCocoa.cpp

  Log Message:
  -----------
  Add bounds checks to platformImportSpki and platformImportPkcs8
rdar://173548767
https://bugs.webkit.org/show_bug.cgi?id=311703

Reviewed by Abrar Rahman Protyasha.

`bytesUsedToEncodedLength()` can return up to 128 for a 0xFF length byte,
which pushes the parsing index past the buffer end. Without a bounds check,
`platformImportSpki` underflows on `keyData.size() - index` and
`platformImportPkcs8` calls `subvector()` out of bounds — both crash the
WebContent process. This is the same bug fixed for RSA in 308706@main.

Tests: crypto/subtle/ec-import-pkcs8-empty-key-data.html
       crypto/subtle/ec-import-pkcs8-invalid-length.html
       crypto/subtle/ec-import-pkcs8-truncated-key.html
       crypto/subtle/ec-import-spki-empty-key-data.html
       crypto/subtle/ec-import-spki-invalid-length.html
       crypto/subtle/ec-import-spki-truncated-key.html

* LayoutTests/crypto/subtle/ec-import-pkcs8-empty-key-data-expected.txt: Added.
* LayoutTests/crypto/subtle/ec-import-pkcs8-empty-key-data.html: Added.
* LayoutTests/crypto/subtle/ec-import-pkcs8-invalid-length-expected.txt: Added.
* LayoutTests/crypto/subtle/ec-import-pkcs8-invalid-length.html: Added.
* LayoutTests/crypto/subtle/ec-import-pkcs8-truncated-key-expected.txt: Added.
* LayoutTests/crypto/subtle/ec-import-pkcs8-truncated-key.html: Added.
* LayoutTests/crypto/subtle/ec-import-spki-empty-key-data-expected.txt: Added.
* LayoutTests/crypto/subtle/ec-import-spki-empty-key-data.html: Added.
* LayoutTests/crypto/subtle/ec-import-spki-invalid-length-expected.txt: Added.
* LayoutTests/crypto/subtle/ec-import-spki-invalid-length.html: Added.
* LayoutTests/crypto/subtle/ec-import-spki-truncated-key-expected.txt: Added.
* LayoutTests/crypto/subtle/ec-import-spki-truncated-key.html: Added.
* LayoutTests/crypto/subtle/rsa-import-pkcs8-empty-key-data-expected.txt:
* LayoutTests/crypto/subtle/rsa-import-pkcs8-empty-key-data.html:
* LayoutTests/crypto/subtle/rsa-import-pkcs8-invalid-length-expected.txt:
* LayoutTests/crypto/subtle/rsa-import-pkcs8-invalid-length.html:
* LayoutTests/crypto/subtle/rsa-import-pkcs8-truncated-key-expected.txt:
* LayoutTests/crypto/subtle/rsa-import-pkcs8-truncated-key.html:
* LayoutTests/crypto/subtle/rsa-import-spki-empty-key-data-expected.txt:
* LayoutTests/crypto/subtle/rsa-import-spki-empty-key-data.html:
* LayoutTests/crypto/subtle/rsa-import-spki-invalid-length-expected.txt:
* LayoutTests/crypto/subtle/rsa-import-spki-invalid-length.html:
* LayoutTests/crypto/subtle/rsa-import-spki-truncated-key-expected.txt:
* LayoutTests/crypto/subtle/rsa-import-spki-truncated-key.html:
* Source/WebCore/crypto/cocoa/CryptoKeyECMac.cpp:
(WebCore::CryptoKeyEC::platformImportSpki):
(WebCore::CryptoKeyEC::platformImportPkcs8):

Originally-landed-as: 305413.644@rapid/safari-7624.2.5.110-branch 
(ba8a6514960f). rdar://176059138
Canonical link: https://commits.webkit.org/314145@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to