From a72eef7584618ed0a3cb03f4c6153c273b4dd6e0 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Tue, 19 May 2026 23:17:30 -0700 Subject: [PATCH] fix(webgpu): potential memory safety issue in arraybuffer jsi c In `ArrayBuffer.h`, the `createArrayBufferFromJSI` function creates an shared_ptr that wraps raw pointers obtained from JSI ArrayBuffer objects. The `byteOffset` and `byteLength` values are cast from `asNumber()` without bounds checking against the actual ArrayBuffer size. A malicious or malformed JSI object could provide values that cause out-of-bounds memory access. Additionally, the `bytesPerElements` value is used without validation, which could lead to incorrect memory calculations. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- packages/webgpu/cpp/rnwgpu/ArrayBuffer.h | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/packages/webgpu/cpp/rnwgpu/ArrayBuffer.h b/packages/webgpu/cpp/rnwgpu/ArrayBuffer.h index 231e2924a..e3a6e5cfc 100644 --- a/packages/webgpu/cpp/rnwgpu/ArrayBuffer.h +++ b/packages/webgpu/cpp/rnwgpu/ArrayBuffer.h @@ -54,6 +54,17 @@ template <> struct JSIConverter> { obj.getProperty(runtime, "byteOffset").asNumber()); auto byteLength = static_cast( obj.getProperty(runtime, "byteLength").asNumber()); + if (bytesPerElements <= 0 || bytesPerElements > 8) { + throw std::runtime_error( + "ArrayBuffer::fromJSI: BYTES_PER_ELEMENT must be a positive " + "integer between 1 and 8"); + } + auto bufferSize = arrayBuffer.size(runtime); + if (byteOffset > bufferSize || byteLength > bufferSize - byteOffset) { + throw std::runtime_error( + "ArrayBuffer::fromJSI: byteOffset + byteLength exceeds buffer " + "size"); + } return std::make_shared( arrayBuffer.data(runtime) + byteOffset, byteLength, static_cast(bytesPerElements));