LibWeb: Don’t crash on a detached publicExponent in generateKey#10215
Merged
shannonbooth merged 1 commit intoJun 21, 2026
Merged
Conversation
Problem: Crash when generating an RSA key — or serializing one — whose publicExponent is a typed array whose backing ArrayBuffer has been detached; for example, by calling transfer() on it. Cause: Two places with big_integer_from_api_big_integer() reading the bytes of the backing ArrayBuffer directly. But reading the bytes of a detached buffer aborts. Fix: Read the bytes with WebIDL get_buffer_source_copy() — which yields an empty copy for a detached, or OOB resizable, buffer. The empty array is already mapped to zero — so generation rejects the zero exponent with an error, rather than crashing. Fixes LadybirdBrowser#9991
7be8752 to
2a02f6e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem: Crash when generating an RSA key — or serializing one — whose
publicExponentis a typed array whose backingArrayBufferhas been detached; for example, by callingtransfer()on it.Cause: Two places with
big_integer_from_api_big_integer()reading the bytes of the backingArrayBufferdirectly. But reading the bytes of a detached buffer aborts.Fix: Read the bytes with WebIDL
get_buffer_source_copy()— which yields an empty copy for a detached, or OOB resizable, buffer. The empty array is already mapped to zero — so generation rejects the zero exponent with an error, rather than crashing.Fixes #9991