[14] WebCrypto EC SPKI/PKCS8 importer bounds check
Severity: High | Component: WebCore Web Crypto | d3de21e
Rated High because the diff fixes a renderer-reachable parser bug: a 0xFF length byte advances the parse cursor 128 bytes past the buffer end, causing unsigned underflow on keyData.size() - index (SPKI) or an OOB subvector(index) that trips RELEASE_ASSERT (PKCS8 crash).
CryptoKeyEC::platformImportSpki and platformImportPkcs8 advanced index by bytesUsedToEncodedLength(keyData[index]) + 1 without a bounds check. A long-form length byte returns up to 128, pushing index well past keyData.size().
Source/WebCore/crypto/cocoa/CryptoKeyECCocoa.cpp
index += 1; // Read BIT STRING
+ if (index + bytesUsedToEncodedLength(keyData[index]) + 1 > keyData.size())
+ return nullptr;
index += bytesUsedToEncodedLength(keyData[index]) + 1;
auto keySize = keyData.size() - index;
Patch Details
Bounds checks gate the cursor advance in both importers. Six new EC LayoutTests mirror existing RSA tests one-for-one.
Missing post-advance bounds check on an attacker-controlled ASN.1 length byte that can advance the parse cursor past the buffer end.
Background
SubtleCrypto.importKey accepts SPKI (SubjectPublicKeyInfo) or PKCS8 (PrivateKeyInfo) bytes. ASN.1 DER length encoding: a byte < 0x80 encodes length directly; ≥ 0x80 encodes the number of subsequent bytes that form the length (0xFF means 127 extra bytes, so the length field itself can consume up to 128 bytes). bytesUsedToEncodedLength(b) returns the bytes the length field occupies. Vector<uint8_t>::subvector(offset) RELEASE_ASSERTs offset <= size().
Analysis
The commit message says it explicitly: same bug fixed for RSA in 308706@main. EC was simply missed.
Aaa Aaaa Aaa Aaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaa Aaaaaaa Aaaaaaaaaaaa Aaaaaaa Aaaaaa a Aa a Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a a Aa a Aaa a a a Aaaaa Aaaaaaaaaaaaaaa a Aaaaa a Aa a Aaaa Aaaaaaaaaa Aa Aaaaaaaaaaaa Aaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaa a Aaaaaaaaaaaaaaa Aaaaaa Aaa Aaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaaaaaaaaa Aaaa Aaaaa Aaa Aaaaaaaaaaa Aaaaaa Aaaaa Aaaa Aaaaaaaa Aaaaaaaaaaa Aaaaaaaaa Aa a Aaaaaaaaaa Aaa Aaaa Aaaaaaa Aa a Aaaaaaaaaa Aaaaaaaa Aaaaaaaa Aa Aaaaaa Aaaaaaaaaaa Aaaaa Aaa Aaaa Aaaa Aaa Aaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaa Aaaaaaaaaaaaa Aaaaaaaaa Aa a Aaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaa Aaaaaaaaa Aaa Aaaaaaa Aa Aaaaaaaa Aaaaa Aaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaa Aaaa Aaaaaaaaa Aaa Aaa Aaaa Aaa Aaa Aaaaa Aaa Aaaaaa Aaaaaa Aaaaa
🔒How a single malformed length byte in a `crypto.subtle.importKey` call drives the parse cursor off the end of the buffer — and what the two diverging consequences mean for the renderer.
Subscribe to read more
Audit directions
a Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaaa a Aaaaa Aaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a Aa Aaaa Aa Aaaaaaaa Aa a Aaaaaa Aaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aaa Aaa Aaaaaaaaaa
a Aaaaaaaaaa Aaaaaaaaa Aa Aaaaaaaaaaaaaa a Aaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaa Aa Aaaa Aaaaa Aaaaa Aaaaaaaa Aaa Aaaaaaaa Aa Aaaaaa Aaaaaa Aaaaaa
a Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa a Aaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaa Aaaaaaa Aaaaaaaaa Aaaaa Aaaaaaaaaaa Aaaaaaaaa
a Aaaaaaa Aaaaaaaaaaaaa Aaa Aaaaa Aaa Aaaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaa Aaaaaaaaaaaaa Aaaaa Aaaaa Aaaaaaaaaaaaaaaaa Aa Aaaaa Aaaa Aa Aaaa a Aaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaa Aaa Aaaaaaaaaaaaa
🔒Multiple reusable audit patterns identified across WebKit's ASN.1 / DER parsers, with concrete starting points for variant discovery in sibling-algorithm key importers.
Subscribe to read more