[20] [WebCore] Fix INT32_MIN UB in BackForwardController distance arithmetic

Severity: Low | Component: WebKit UIProcess back/forward navigation | a6cd3ca

Rated Low because the diff hardens the INT32_MIN arithmetic path in BackForwardController::canGoBackOrForward and WebBackForwardList::itemAtDeltaFromCurrentIndex; pre-fix, static_cast<unsigned>(-distance) is UB at INT32_MIN and may bypass the underflow guard, but the downstream effect is bounded by the back-forward list array indexing and does not yield a controlled memory primitive.

The signed negation is replaced with safe widened arithmetic; delta/distance is computed in a wider type or guarded against INT32_MIN before negation.

Source/WebCore/history/BackForwardController.cpp

- return static_cast<unsigned>(-distance) <= backCount();

+ return distance != std::numeric_limits<int>::min() && static_cast<unsigned>(-distance) <= backCount();

Signed integer overflow in an underflow guard that is itself exposed to attacker-supplied INT32_MIN via the backForwardItemAtIndexForWebContent IPC.

Patch Details

The negation is guarded for INT32_MIN. The same change is applied in WebBackForwardList::itemAtDeltaFromCurrentIndex.

Background

backForwardItemAtIndexForWebContent is an IPC handler in the UI process. The WebContent process sends a delta from the current index; the handler walks the back/forward stack.

Analysis

Pre-fix, the negative-distance branch performed the negation in signed arithmetic: static_cast<unsigned>(-distance) evaluates -distance as int first, then casts. With distance == INT32_MIN, -INT32_MIN is not representable as positive int — signed integer overflow, UB.

Aaa Aaaaaaaa Aa Aaaaaaaaa Aa Aaaaaa Aaaaaa Aaaaaaaa Aaaa Aaa Aaaaaa Aa Aaa Aaaaaa Aaaaa Aaa Aa Aaaaaaaaa Aaaaa Aa Aaaaaaaaaaaaaaaa Aaaaaaaaaaaaa Aaa Aaaaaaaa Aaaaa Aaaa Aa Aaaaaaaaaaaa Aaaaa Aaaaa Aaaa Aaaaaaa Aaaaaaaaaaaa Aa Aaa Aaaaaaaaa Aaa Aaaaa Aaa Aaaaaaa Aaaaaaa Aa Aaaa Aaa Aaaaaa Aaaaa Aaaaaaaaa Aa Aaaaaaaaaaaaa a Aaaaaaaaaaaaaaaaa Aaa Aaaaaaaaa Aa Aa Aaaaaaaaaaaaa Aaaaa Aaaa Aaaaaaa Aaa Aaaaaaaaaaaa Aaaaa a Aaa Aaaaaaaaa Aaaaa a Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa

Aaaa Aaaaaaa Aa Aaaaaaaaaaaaa Aaaaaa Aaaaa Aa Aaa Aa Aaaaaaaa

🔒

Explores how a single-line arithmetic pattern crosses an IPC trust boundary, and what realistically follows from undefined behavior in a privileged-process bounds check.

Subscribe to read more

Audit directions

🔒

Multiple reusable audit patterns identified for finding sibling instances across WebKit's IPC surface, with concrete grep starting points.

Subscribe to read more