223694 – Address undefined behavior found by UBSan in StringToIntegerConversion.h

Bug 223694 - Address undefined behavior found by UBSan in StringToIntegerConversion.h

Summary: Address undefined behavior found by UBSan in StringToIntegerConversion.h

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Web Template Framework (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-03-24 09:13 PDT by Chris Dumez
Modified:	2021-03-24 12:31 PDT (History)
CC List:	7 users (show)

See Also:	176131

Attachments
Patch (5.52 KB, patch) 2021-03-24 09:37 PDT, Chris Dumez	ggaren: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2021-03-24 09:13:17 PDT

Address undefined behavior found by UBSan in StringToIntegerConversion.h:
- wtf/text/StringToIntegerConversion.h:94:30: runtime error: signed integer overflow: 2147483640 + 8 cannot be represented in type 'int'
- wtf/text/StringToIntegerConversion.h:104:17: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself

Comment 1 Chris Dumez 2021-03-24 09:37:01 PDT

Created attachment 424142 [details]
Patch

Comment 2 Geoffrey Garen 2021-03-24 12:02:30 PDT

Comment on attachment 424142 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=424142&action=review

r=me

> Source/WTF/wtf/text/StringToIntegerConversion.h:54
> +    Checked<IntegralType, RecordOverflow> value = 0;

No need for = 0 anymore here.

Comment 3 Chris Dumez 2021-03-24 12:30:43 PDT

Committed r274959 (235712@main): <https://commits.webkit.org/235712@main>

Comment 4 Radar WebKit Bug Importer 2021-03-24 12:31:32 PDT

<rdar://problem/75799204>