WebKitGTK and WPE WebKit Out-of-Bounds Read and Integer Underflow Vulnerability Leading to Denial-of-Service

A vulnerability has been identified in WebKitGTK and WPE WebKit, allowing for an out-of-bounds read and integer underflow. This flaw can cause a crash in the UIProcess, leading to a denial-of-service condition. The vulnerability is triggered by a crafted payload sent to the GLib remote inspector server.

Impact

Exploitation of this vulnerability causes a segmentation fault or crash by reading memory outside the bounds of a buffer. This is likely when the code processes a variable amount of data and relies on a sentinel, such as a NUL character in a string, to terminate the read operation.

Reproduction

The vulnerability can be reproduced by enabling the GLib remote inspector server and sending a crafted payload that omits a NUL terminator, causing the WTF::SocketConnection::readMessage() function to read beyond the frame boundary. This out-of-bounds read leads to a crash in the UIProcess.