Skip to content

LibWeb: Don’t crash on a detached publicExponent in generateKey#10215

Merged
shannonbooth merged 1 commit into
LadybirdBrowser:masterfrom
sideshowbarker:libweb-crypto-detached-public-exponent
Jun 21, 2026
Merged

LibWeb: Don’t crash on a detached publicExponent in generateKey#10215
shannonbooth merged 1 commit into
LadybirdBrowser:masterfrom
sideshowbarker:libweb-crypto-detached-public-exponent

Conversation

@sideshowbarker

@sideshowbarker sideshowbarker commented Jun 21, 2026

Copy link
Copy Markdown
Member

Problem: Crash when generating an RSA key — or serializing one — whose publicExponent is a typed array whose backing ArrayBuffer has been detached; for example, by calling transfer() on it.

Cause: Two places with big_integer_from_api_big_integer() reading the bytes of the backing ArrayBuffer directly. But reading the bytes of a detached buffer aborts.

Fix: Read the bytes with WebIDL get_buffer_source_copy() — which yields an empty copy for a detached, or OOB resizable, buffer. The empty array is already mapped to zero — so generation rejects the zero exponent with an error, rather than crashing.

Fixes #9991

Comment thread Libraries/LibWeb/Crypto/CryptoAlgorithms.cpp Outdated
Problem: Crash when generating an RSA key — or serializing one —
whose publicExponent is a typed array whose backing ArrayBuffer has
been detached; for example, by calling transfer() on it.

Cause: Two places with big_integer_from_api_big_integer() reading the
bytes of the backing ArrayBuffer directly. But reading the bytes of a
detached buffer aborts.

Fix: Read the bytes with WebIDL get_buffer_source_copy() — which yields
an empty copy for a detached, or OOB resizable, buffer. The empty array
is already mapped to zero — so generation rejects the zero exponent with
an error, rather than crashing.

Fixes LadybirdBrowser#9991
@sideshowbarker sideshowbarker force-pushed the libweb-crypto-detached-public-exponent branch from 7be8752 to 2a02f6e Compare June 21, 2026 11:34
@shannonbooth shannonbooth merged commit 9ffd3e4 into LadybirdBrowser:master Jun 21, 2026
13 checks passed
@sideshowbarker sideshowbarker deleted the libweb-crypto-detached-public-exponent branch June 21, 2026 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

WebCrypto ArrayBuffer crash

2 participants