[4] ShareableBitmap IPC validator integer overflow
Severity: High | Component: WebKit IPC serialization | 3d2be34
Rated High because the observable effect is an IPC validation bypass reachable from a compromised renderer, and the projected escalation (inconsistent bitmap parameters reaching a privileged process for OOB memory access) follows directly from the arithmetic overflow at confidence 0.88 — unverified claims concern the exact signed/unsigned promotion behavior and whether specific downstream processes are impacted.
The IPC validator for ShareableBitmap::bytesPerRow() used a raw multiplication m_size->width() * *bytesPerPixel that could overflow, bypassing the size-consistency check. The fix replaces the raw multiplication with WTF::safeMultiply, which returns false on overflow.
Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
- [Validator='*bytesPerRow >= m_size->width() * *bytesPerPixel'] unsigned bytesPerRow();
+ [Validator='[&]() { std::remove_cvref_t<decltype(*bytesPerRow)> bytesForWidth; return WTF::safeMultiply(m_size->width(), *bytesPerPixel, bytesForWidth) && *bytesPerRow >= bytesForWidth; }()'] unsigned bytesPerRow();
Patch Details
The patch replaces a one-line inline validator expression with a lambda that first computes the width * bytesPerPixel product via WTF::safeMultiply into a local variable bytesForWidth. If the multiplication overflows, safeMultiply returns false and the validator rejects the IPC message. Only if the multiplication succeeds does the comparison *bytesPerRow >= bytesForWidth proceed. The result type of bytesForWidth is deduced as std::remove_cvref_t<decltype(*bytesPerRow)> — matching the type of bytesPerRow — ensuring the overflow check is performed in the correct arithmetic domain.
Background
WebKit's .serialization.in DSL generates C++ argument coders for IPC messages. Each serialized field can have a [Validator=...] attribute — a C++ expression that must evaluate to true for deserialization to succeed. These validators run in the receiving process and are the primary defense against malformed IPC payloads from compromised senders.
ShareableBitmap is a WebKit type for sharing bitmap image data across process boundaries via shared memory. Its serialized form includes dimensions (m_size), bytesPerPixel, bytesPerRow, and pixel format metadata. The receiving process uses these parameters to compute buffer sizes and offsets when mapping the shared memory region.
WTF::safeMultiply is a WebKit utility that performs multiplication and returns false if the result would overflow the destination type, rather than silently wrapping. It is already used in several other size-computation sites (SharedVideoFrameInfo, CVUtilities, WebAudioBufferList), suggesting awareness of this pattern — but the ShareableBitmap validator was missed.
Analysis
Unsigned/signed arithmetic overflow in an IPC input validator bypassing a size-consistency check.
Before the fix, the validator computed m_size->width() * *bytesPerPixel using native arithmetic. The commit message states the multiplication "could overflow into a negative number", indicating the product was computed in a signed type (though C++ promotion rules for mixed signed/unsigned operands may vary — the practical effect is the same either way). When the width is very large, the multiplication wraps. A wrapped result — whether it becomes a small positive unsigned value or a negative signed value — would satisfy the >= comparison against a normal-looking bytesPerRow, causing the validator to accept an inconsistent bitmap configuration.
Aaaa a Aaaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaa Aaaaaaaa Aa Aaaaaaaa Aaaaa Aaaaa a Aaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaa a Aaaaa Aaaaa Aaaaaa Aaaa Aaaaaa a Aaaaaaaaaaaaaa Aaaaaaaaa Aa a Aaaaa Aaaaaa Aaa Aaa Aaaaaaaaaaaaa Aa a Aaaaaaaaaaaaaa Aaaaa Aaaa Aaaaaa Aaa Aaaaaaaa Aaaaaaaaaaa Aaa Aaaaaaaa Aaaaaaaa Aaa Aaaaaa Aaaaaaaaaaaaa Aaaaaa Aaa Aaaaaaaaaaa Aaaaaa Aa Aaa Aaa Aaaaaaaa Aaa Aaaaaaaaa Aaaaaaa Aaaa Aa Aaa Aaaaa Aaaa Aaa Aaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaa Aaaa Aaa Aaaaa Aaaaa Aa Aaaaaaa Aaaaaa Aaaaa Aa Aaaaaa Aaaaaaaa Aaaaaaaaa Aa Aaaaaaaaaaaaa Aaaaa Aa Aaaaaa Aa Aaa Aaaaaaaaaa Aaaaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaa Aaa Aaaaaaaaaa Aaaaaaaaaaa Aaa Aaaaaaaaaaaaaaa Aaa Aaaaaaaaa Aaaaaaaa Aaaa Aaaaaaaaaaaa Aaaaaa Aaaaaaaaaa Aaa Aaaaaaaaaa Aaaaaaaaaa Aaaaaa Aaa Aaaaaaaaa Aaaaaaa Aaaa Aaaa Aa Aaa Aa Aaaaaaaa Aaaaaa Aaaaaaa Aaaaaa Aaa Aaaa Aa Aaaaaaaa Aa Aaa Aaaaaaaaaa Aaaaaaa Aaaaa Aaaaa a Aaaaaaa Aaaa a Aaaa Aaaaa Aaaaa Aaaa Aaaaaaaaa Aaa Aaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaa Aaaaaaa Aa Aaaaaa Aaaaaaaaaaaa Aaaaaa Aaaaaaaaaaa Aaaa Aaaaa Aaaa Aa Aaaaaaaaaaaaa Aaaaaa Aaaaaa Aa a Aaaa Aaaaaaaaaa Aaaaaaa a a Aaaaaaa Aaaaaa Aaaaaaa
Aaa Aaaaaaaaaa Aaaaaaa Aa Aaaaaa Aaaaaaaaaa Aaaaaaaaaaa Aa Aaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaa Aaa a Aaaaaaaaa Aaaaaa Aa Aaaaaa Aaaa Aaaaaaa Aaaa Aaaa Aaaa Aaaaaa Aaaaaaaaaaa Aaa Aaaaaaa Aaaaaa Aaa Aaaaaaaaaa Aaaa Aaa Aaa Aaaaaaaa Aaaaaaaaa
🔒Explores the cross-process implications of this validation bypass and what memory access primitives it could yield in a privileged process
Subscribe to read more
Audit directions
a Aaaaaaaa Aaa Aaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaa Aaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaaaa Aaaaaaaa Aaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaa Aaa Aaaaaaaaaaaaaaaa Aaa Aaaaaa Aaaa Aaaa Aaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaa Aaaaaa Aaaa Aaa Aaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaa Aaaaaaaa Aaa Aaaaa Aa Aaaaaaaa Aa Aaaaa Aaaaaaaaaa Aaaaaa Aaaaaaaaaaa
a Aaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaa Aaaa Aaaaaaa a Aaaaaaaaaaaaaaaa Aaaaa Aaaaaaa a Aaaaaaaaaaa Aaaaaaaa Aaaa Aaaaaaa Aaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaa Aaaaa Aaaa Aaaaaaaa Aa Aaaaaaa Aaa Aaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaa Aaaaa Aaaaaa Aaaa Aaaaaaa
a Aaaaa Aaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaa Aaaaa a Aaaa Aaa Aaaaaaaaa Aaaa Aaaaa Aaaa Aaaaaaaaaaaa a Aaaaaaa Aaaa Aaa Aaaaaaaa Aaaa Aaaaaaaaa Aaaaa Aaaaaa Aaaaa Aa Aaaaaaaa Aaaaa Aaaaa Aa a Aaaaaaa Aaaaaa Aa a Aaaaaaaaa Aaaaaa Aaaaaa Aaa Aaa Aaa Aaaaaaaaa Aaaaaaa Aaaaaaaa Aaa Aaaaa Aaaaaa Aaaaaa Aaaa Aaaa Aaa Aaaaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaaa
Aaaaaaaaa Aaa Aaaaa Aaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaaaa Aaa Aaa Aaa Aaaaaaaaaaaaaa Aa Aaaaaaaa Aaaa Aaa Aaaaaa Aaaaaaa Aaaaaa Aaaa Aaaaaaaa Aaaaaaaa Aaaa Aaa Aaaaa Aaa Aaaa Aaaaaaaaaaaaa a Aaaaaaaaaa Aaaaaaaa Aaaaaaaaa Aa Aaa Aaaaaaaaa a Aa Aaaaaaaa Aaaaaaaaaa
🔒Multiple IPC validation audit patterns identified, with concrete search targets across WebKit's serialization infrastructure
Subscribe to read more