Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 122493b27e92dedc613240fe169122d2896624c1
https://github.com/WebKit/WebKit/commit/122493b27e92dedc613240fe169122d2896624c1
Author: Ahmad Saleem <[email protected]>
Date: 2026-07-03 (Fri, 03 Jul 2026)
Changed paths:
M Source/WebCore/inspector/agents/InspectorAnimationAgent.cpp
Log Message:
-----------
Out-of-bounds read in InspectorAnimationAgent when parsedKeyframes is shorter
than blendingKeyframes
https://bugs.webkit.org/show_bug.cgi?id=318501
rdar://181283194
Reviewed by Devin Rousso.
buildObjectForKeyframes() in InspectorAnimationAgent.cpp iterates over
blendingKeyframes.size() but indexes parsedKeyframes[i] guarded only by
!parsedKeyframes.isEmpty(). KeyframeEffect stores these as two independent
vectors populated by separate paths: m_parsedKeyframes is set via the Web
Animations API (setKeyframes), while m_blendingKeyframes is recomputed from
the CSS rule (computeCSSAnimationBlendingKeyframes). For a style-originated
(CSS) animation whose keyframes were re-set through the Web Animations API
and later recomputed from the CSS rule, parsedKeyframes.size() can be smaller
than blendingKeyframes.size(). Inspecting such an animation in the Web
Inspector Animations panel then reads past the end of parsedKeyframes.
Guard the access with a bounds check (i < parsedKeyframes.size()) instead of
the emptiness check, matching the pattern already used by
KeyframeEffect::timingFunctionForKeyframeAtIndex(). When the index is out of
range the code falls through to the existing blendingKeyframe.timingFunction()
and backing-animation fallbacks, so well-sized keyframes are unaffected.
* Source/WebCore/inspector/agents/InspectorAnimationAgent.cpp:
(WebCore::buildObjectForKeyframes):
Canonical link: https://commits.webkit.org/316470@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications