WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
205943
JSArrayBufferView.h: Multiplication result converted to larger type
https://bugs.webkit.org/show_bug.cgi?id=205943
Summary
JSArrayBufferView.h: Multiplication result converted to larger type
Michael Saboff
Reported
2020-01-08 11:42:47 PST
Summary: JSArrayBufferView.h: Multiplication result converted to larger type: Multiplication result may overflow 'unsigned int' before it is converted to 'unsigned long'. static size_t sizeOf(uint32_t length, uint32_t elementSize) { return (length * elementSize + sizeof(EncodedJSValue) - 1) Multiplication result may overflow 'unsigned int' before it is converted to 'unsigned long'. & ~(sizeof(EncodedJSValue) - 1); } fix: cast length to size_t before multiplication.
Attachments
Patch
(1.31 KB, patch)
2020-01-08 11:56 PST
,
Michael Saboff
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Michael Saboff
Comment 1
2020-01-08 11:43:03 PST
<
rdar://problem/58383286
>
Michael Saboff
Comment 2
2020-01-08 11:56:24 PST
Created
attachment 387122
[details]
Patch
WebKit Commit Bot
Comment 3
2020-01-08 12:54:16 PST
Comment on
attachment 387122
[details]
Patch Clearing flags on attachment: 387122 Committed
r254218
: <
https://trac.webkit.org/changeset/254218
>
WebKit Commit Bot
Comment 4
2020-01-08 12:54:18 PST
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug