← All issues

[20] [WebCore] Fix INT32_MIN UB in BackForwardController distance arithmetic

Severity: Low | Component: WebKit UIProcess back/forward navigation | a6cd3ca

Rated Low because the diff hardens the INT32_MIN arithmetic path in BackForwardController::canGoBackOrForward and WebBackForwardList::itemAtDeltaFromCurrentIndex; pre-fix, static_cast<unsigned>(-distance) is UB at INT32_MIN and may bypass the underflow guard, but the downstream effect is bounded by the back-forward list array indexing and does not yield a controlled memory primitive.

The signed negation is replaced with safe widened arithmetic; delta/distance is computed in a wider type or guarded against INT32_MIN before negation.

Source/WebCore/history/BackForwardController.cpp

- return static_cast<unsigned>(-distance) <= backCount();
+ return distance != std::numeric_limits<int>::min() && static_cast<unsigned>(-distance) <= backCount();

Signed integer overflow in an underflow guard that is itself exposed to attacker-supplied INT32_MIN via the backForwardItemAtIndexForWebContent IPC.

The negation is guarded for INT32_MIN. The same change is applied in WebBackForwardList::itemAtDeltaFromCurrentIndex.

backForwardItemAtIndexForWebContent is an IPC handler in the UI process. The WebContent process sends a delta from the current index; the handler walks the back/forward stack.

Pre-fix, the negative-distance branch performed the negation in signed arithmetic: static_cast<unsigned>(-distance) evaluates -distance as int first, then casts. With distance == INT32_MIN, -INT32_MIN is not representable as positive int — signed integer overflow, UB.

🔒

Explores how a single-line arithmetic pattern crosses an IPC trust boundary, and what realistically follows from undefined behavior in a privileged-process bounds check.

Subscribe to read more

🔒

Multiple reusable audit patterns identified for finding sibling instances across WebKit's IPC surface, with concrete grep starting points.

Subscribe to read more