64257 2011-07-11 02:24:32 -0700 Signed arithmetic bug in dataTransfer32 2011-07-11 10:29:48 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Other All RESOLVED FIXED P2 Normal --- 1 loki webkit-unassigned webkit.review.bot zherczeg oldest_to_newest 434720 0 loki 2011-07-11 02:24:32 -0700 There is an arithmetic bug in dataTransfer32. If the offset of dataTransfer is half of the addressable memory space on a 32-bit machine (-2147483648 = 0x80000000) a load instruction is emitted with a wrong zero offset. 434722 1 100257 loki 2011-07-11 02:27:13 -0700 Created attachment 100257 Signed arithmetic bug in dataTransfer32 434727 2 100257 zherczeg 2011-07-11 02:49:23 -0700 Comment on attachment 100257 Signed arithmetic bug in dataTransfer32 Nice catch. 434735 3 100257 webkit.review.bot 2011-07-11 03:31:35 -0700 Comment on attachment 100257 Signed arithmetic bug in dataTransfer32 Clearing flags on attachment: 100257 Committed r90731: <http://trac.webkit.org/changeset/90731> 434736 4 webkit.review.bot 2011-07-11 03:31:39 -0700 All reviewed patches have been landed. Closing bug. 434968 5 ap 2011-07-11 10:20:18 -0700 Regression test? 434982 6 zherczeg 2011-07-11 10:29:48 -0700 (In reply to comment #5) > Regression test? Seemed impossible. 0x80000000 (INT_MIN) is too big offset on a 32 bit machine. This is a "theoretical" bug. 100257 2011-07-11 02:27:13 -0700 2011-07-11 03:31:35 -0700 Signed arithmetic bug in dataTransfer32 0001-2011-07-11-Gabor-Loki-loki-webkit.org.patch text/plain 3162 loki RnJvbSBlMTYxNzZiM2YwODllMGRkYmE1YTE2NGEzZGQzM2ZjZDc1MTI5MmJiIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBHYWJvciBMb2tpIDxsb2tpQGluZi51LXN6ZWdlZC5odT4KRGF0 ZTogTW9uLCAxMSBKdWwgMjAxMSAxMToyNDo0MyArMDIwMApTdWJqZWN0OiBbUEFUQ0hdIDIwMTEt MDctMTEgIEdhYm9yIExva2kgIDxsb2tpQHdlYmtpdC5vcmc+CgogICAgICAgIFNpZ25lZCBhcml0 aG1ldGljIGJ1ZyBpbiBkYXRhVHJhbnNmZXIzMi4KICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0 Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NjQyNTcKCiAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChP T1BTISkuCgogICAgICAgIEFuIGFyaXRobWV0aWMgYnVnIGlzIGZpeGVkLiBJZiB0aGUgb2Zmc2V0 IG9mIGRhdGFUcmFuc2ZlciBpcyBoYWxmIG9mIHRoZQogICAgICAgIGFkZHJlc3NhYmxlIG1lbW9y eSBzcGFjZSBvbiBhIDMyLWJpdCBtYWNoaW5lICgtMjE0NzQ4MzY0OCA9IDB4ODAwMDAwMDApCiAg ICAgICAgYSBsb2FkIGluc3RydWN0aW9uIGlzIGVtaXR0ZWQgd2l0aCBhIHdyb25nIHplcm8gb2Zm c2V0LgoKICAgICAgICBJbnNwaXJlZCBieSBKYWNvYiBCcmFtbGV5J3MgcGF0Y2ggZnJvbSBKYWVn ZXJNb25rZXkuCgogICAgICAgICogYXNzZW1ibGVyL0FSTUFzc2VtYmxlci5jcHA6CiAgICAgICAg KEpTQzo6QVJNQXNzZW1ibGVyOjpkYXRhVHJhbnNmZXIzMik6Ci0tLQogU291cmNlL0phdmFTY3Jp cHRDb3JlL0NoYW5nZUxvZyAgICAgICAgICAgICAgICAgIHwgICAxNiArKysrKysrKysrKysrKysr CiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvYXNzZW1ibGVyL0FSTUFzc2VtYmxlci5jcHAgfCAgIDEz ICsrKysrKy0tLS0tLS0KIDIgZmlsZXMgY2hhbmdlZCwgMjIgaW5zZXJ0aW9ucygrKSwgNyBkZWxl dGlvbnMoLSkKCmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nIGIv U291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCBjZDdmNDc3Li5mMmVjMzZlIDEw MDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9K YXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxOSBAQAorMjAxMS0wNy0xMSAgR2Fi b3IgTG9raSAgPGxva2lAd2Via2l0Lm9yZz4KKworICAgICAgICBTaWduZWQgYXJpdGhtZXRpYyBi dWcgaW4gZGF0YVRyYW5zZmVyMzIuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3No b3dfYnVnLmNnaT9pZD02NDI1NworCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEp LgorCisgICAgICAgIEFuIGFyaXRobWV0aWMgYnVnIGlzIGZpeGVkLiBJZiB0aGUgb2Zmc2V0IG9m IGRhdGFUcmFuc2ZlciBpcyBoYWxmIG9mIHRoZQorICAgICAgICBhZGRyZXNzYWJsZSBtZW1vcnkg c3BhY2Ugb24gYSAzMi1iaXQgbWFjaGluZSAoLTIxNDc0ODM2NDggPSAweDgwMDAwMDAwKQorICAg ICAgICBhIGxvYWQgaW5zdHJ1Y3Rpb24gaXMgZW1pdHRlZCB3aXRoIGEgd3JvbmcgemVybyBvZmZz ZXQuCisKKyAgICAgICAgSW5zcGlyZWQgYnkgSmFjb2IgQnJhbWxleSdzIHBhdGNoIGZyb20gSmFl Z2VyTW9ua2V5LgorCisgICAgICAgICogYXNzZW1ibGVyL0FSTUFzc2VtYmxlci5jcHA6CisgICAg ICAgIChKU0M6OkFSTUFzc2VtYmxlcjo6ZGF0YVRyYW5zZmVyMzIpOgorCiAyMDExLTA3LTA5ICBU aG91cmF5YSBBbmRvbHNpICA8dGhvdXJheWEuYW5kb2xzaUBzdC5jb20+CiAKICAgICAgICAgRml4 IHVuYWxpZ25lZCB1c2Vyc3BhY2UgYWNjZXNzIGZvciBTSDQgcGxhdGZvcm1zLiAKZGlmZiAtLWdp dCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9hc3NlbWJsZXIvQVJNQXNzZW1ibGVyLmNwcCBiL1Nv dXJjZS9KYXZhU2NyaXB0Q29yZS9hc3NlbWJsZXIvQVJNQXNzZW1ibGVyLmNwcAppbmRleCBmODY0 NDRkLi43NTQzNTg2IDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvYXNzZW1ibGVy L0FSTUFzc2VtYmxlci5jcHAKKysrIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL2Fzc2VtYmxlci9B Uk1Bc3NlbWJsZXIuY3BwCkBAIC0yNzYsMTUgKzI3NiwxNCBAQCB2b2lkIEFSTUFzc2VtYmxlcjo6 ZGF0YVRyYW5zZmVyMzIoYm9vbCBpc0xvYWQsIFJlZ2lzdGVySUQgc3JjRHN0LCBSZWdpc3RlcklE IGJhcwogICAgICAgICAgICAgZHRyX3VyKGlzTG9hZCwgc3JjRHN0LCBiYXNlLCBBUk1SZWdpc3Rl cnM6OlMwIHwgdHJhbnNmZXJGbGFnKTsKICAgICAgICAgfQogICAgIH0gZWxzZSB7Ci0gICAgICAg IG9mZnNldCA9IC1vZmZzZXQ7Ci0gICAgICAgIGlmIChvZmZzZXQgPD0gMHhmZmYpCi0gICAgICAg ICAgICBkdHJfZChpc0xvYWQsIHNyY0RzdCwgYmFzZSwgb2Zmc2V0IHwgdHJhbnNmZXJGbGFnKTsK LSAgICAgICAgZWxzZSBpZiAob2Zmc2V0IDw9IDB4ZmZmZmYpIHsKLSAgICAgICAgICAgIHN1Yl9y KEFSTVJlZ2lzdGVyczo6UzAsIGJhc2UsIE9QMl9JTU0gfCAob2Zmc2V0ID4+IDEyKSB8ICgxMCA8 PCA4KSk7Ci0gICAgICAgICAgICBkdHJfZChpc0xvYWQsIHNyY0RzdCwgQVJNUmVnaXN0ZXJzOjpT MCwgKG9mZnNldCAmIDB4ZmZmKSB8IHRyYW5zZmVyRmxhZyk7CisgICAgICAgIGlmIChvZmZzZXQg Pj0gLTB4ZmZmKQorICAgICAgICAgICAgZHRyX2QoaXNMb2FkLCBzcmNEc3QsIGJhc2UsIC1vZmZz ZXQgfCB0cmFuc2ZlckZsYWcpOworICAgICAgICBlbHNlIGlmIChvZmZzZXQgPj0gLTB4ZmZmZmYp IHsKKyAgICAgICAgICAgIHN1Yl9yKEFSTVJlZ2lzdGVyczo6UzAsIGJhc2UsIE9QMl9JTU0gfCAo LW9mZnNldCA+PiAxMikgfCAoMTAgPDwgOCkpOworICAgICAgICAgICAgZHRyX2QoaXNMb2FkLCBz cmNEc3QsIEFSTVJlZ2lzdGVyczo6UzAsICgtb2Zmc2V0ICYgMHhmZmYpIHwgdHJhbnNmZXJGbGFn KTsKICAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgIG1vdmVJbW0ob2Zmc2V0LCBBUk1SZWdp c3RlcnM6OlMwKTsKLSAgICAgICAgICAgIGR0cl9kcihpc0xvYWQsIHNyY0RzdCwgYmFzZSwgQVJN UmVnaXN0ZXJzOjpTMCB8IHRyYW5zZmVyRmxhZyk7CisgICAgICAgICAgICBkdHJfdXIoaXNMb2Fk LCBzcmNEc3QsIGJhc2UsIEFSTVJlZ2lzdGVyczo6UzAgfCB0cmFuc2ZlckZsYWcpOwogICAgICAg ICB9CiAgICAgfQogfQotLSAKMS43LjQuMQoK