From 2a02f6eb6ba545e35f4701b760a046d3e649675a Mon Sep 17 00:00:00 2001 From: sideshowbarker Date: Sun, 21 Jun 2026 16:45:32 +0900 Subject: [PATCH] =?UTF-8?q?LibWeb:=20Don=E2=80=99t=20crash=20on=20a=20deta?= =?UTF-8?q?ched=20publicExponent=20in=20generateKey?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Problem: Crash when generating an RSA key — or serializing one — whose publicExponent is a typed array whose backing ArrayBuffer has been detached; for example, by calling transfer() on it. Cause: Two places with big_integer_from_api_big_integer() reading the bytes of the backing ArrayBuffer directly. But reading the bytes of a detached buffer aborts. Fix: Read the bytes with WebIDL get_buffer_source_copy() — which yields an empty copy for a detached, or OOB resizable, buffer. The empty array is already mapped to zero — so generation rejects the zero exponent with an error, rather than crashing. Fixes https://github.com/LadybirdBrowser/ladybird/issues/9991 --- Libraries/LibWeb/Crypto/CryptoAlgorithms.cpp | 3 +-- Libraries/LibWeb/Crypto/CryptoKey.cpp | 3 ++- ...o-generateKey-detached-public-exponent.txt | 1 + ...ructuredClone-detached-public-exponent.txt | 1 + ...-generateKey-detached-public-exponent.html | 25 +++++++++++++++++++ ...ucturedClone-detached-public-exponent.html | 22 ++++++++++++++++ 6 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 Tests/LibWeb/Text/expected/Crypto/SubtleCrypto-generateKey-detached-public-exponent.txt create mode 100644 Tests/LibWeb/Text/expected/Crypto/SubtleCrypto-structuredClone-detached-public-exponent.txt create mode 100644 Tests/LibWeb/Text/input/Crypto/SubtleCrypto-generateKey-detached-public-exponent.html create mode 100644 Tests/LibWeb/Text/input/Crypto/SubtleCrypto-structuredClone-detached-public-exponent.html diff --git a/Libraries/LibWeb/Crypto/CryptoAlgorithms.cpp b/Libraries/LibWeb/Crypto/CryptoAlgorithms.cpp index 000c148200486..1459e94445ad9 100644 --- a/Libraries/LibWeb/Crypto/CryptoAlgorithms.cpp +++ b/Libraries/LibWeb/Crypto/CryptoAlgorithms.cpp @@ -91,8 +91,7 @@ static ::Crypto::UnsignedBigInteger big_integer_from_api_big_integer(GC::Ptrviewed_array_buffer()->bytes(); - + auto buffer = MUST(WebIDL::get_buffer_source_copy(*big_integer)); if (!buffer.is_empty()) return ::Crypto::UnsignedBigInteger::import_data(buffer); return ::Crypto::UnsignedBigInteger(0); diff --git a/Libraries/LibWeb/Crypto/CryptoKey.cpp b/Libraries/LibWeb/Crypto/CryptoKey.cpp index 3dc3905a65b1e..a8e5ff8d8e438 100644 --- a/Libraries/LibWeb/Crypto/CryptoKey.cpp +++ b/Libraries/LibWeb/Crypto/CryptoKey.cpp @@ -14,6 +14,7 @@ #include #include #include +#include namespace Web::Crypto { @@ -44,7 +45,7 @@ enum class KeyAlgorithmTag : u8 { ::Crypto::UnsignedBigInteger big_integer_from_api_big_integer(JS::Uint8Array const& big_integer) { - auto buffer = big_integer.viewed_array_buffer()->bytes().slice(big_integer.byte_offset(), big_integer.byte_length().length()); + auto buffer = MUST(WebIDL::get_buffer_source_copy(big_integer)); if (!buffer.is_empty()) return ::Crypto::UnsignedBigInteger::import_data(buffer); return ::Crypto::UnsignedBigInteger(0); diff --git a/Tests/LibWeb/Text/expected/Crypto/SubtleCrypto-generateKey-detached-public-exponent.txt b/Tests/LibWeb/Text/expected/Crypto/SubtleCrypto-generateKey-detached-public-exponent.txt new file mode 100644 index 0000000000000..563bb83b204b3 --- /dev/null +++ b/Tests/LibWeb/Text/expected/Crypto/SubtleCrypto-generateKey-detached-public-exponent.txt @@ -0,0 +1 @@ +rejected: OperationError diff --git a/Tests/LibWeb/Text/expected/Crypto/SubtleCrypto-structuredClone-detached-public-exponent.txt b/Tests/LibWeb/Text/expected/Crypto/SubtleCrypto-structuredClone-detached-public-exponent.txt new file mode 100644 index 0000000000000..96ad8180ac729 --- /dev/null +++ b/Tests/LibWeb/Text/expected/Crypto/SubtleCrypto-structuredClone-detached-public-exponent.txt @@ -0,0 +1 @@ +PASS (didn't crash): cloned diff --git a/Tests/LibWeb/Text/input/Crypto/SubtleCrypto-generateKey-detached-public-exponent.html b/Tests/LibWeb/Text/input/Crypto/SubtleCrypto-generateKey-detached-public-exponent.html new file mode 100644 index 0000000000000..b9112b249956c --- /dev/null +++ b/Tests/LibWeb/Text/input/Crypto/SubtleCrypto-generateKey-detached-public-exponent.html @@ -0,0 +1,25 @@ + + + diff --git a/Tests/LibWeb/Text/input/Crypto/SubtleCrypto-structuredClone-detached-public-exponent.html b/Tests/LibWeb/Text/input/Crypto/SubtleCrypto-structuredClone-detached-public-exponent.html new file mode 100644 index 0000000000000..25878b9f93013 --- /dev/null +++ b/Tests/LibWeb/Text/input/Crypto/SubtleCrypto-structuredClone-detached-public-exponent.html @@ -0,0 +1,22 @@ + + +