Bug 223718 - Source/WebCore/xml/parser/CharacterReferenceParserInlines.h:107:33: runtime error: signed integer overflow: 268435455 * 16 cannot be represented in type 'int'
Summary: Source/WebCore/xml/parser/CharacterReferenceParserInlines.h:107:33: runtime e...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-03-24 16:48 PDT by Chris Dumez
Modified: 2021-03-25 11:22 PDT (History)
4 users (show)

See Also:

Attachments
Patch (4.01 KB, patch)
2021-03-24 16:50 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2021-03-24 16:48:27 PDT 
Fix issue found by UBSan under consumeCharacterReference() in CharacterReferenceParserInlines.h.
Comment 1 Chris Dumez 2021-03-24 16:50:24 PDT 
Created attachment 424201 [details]
Patch
Comment 2 Darin Adler 2021-03-25 10:59:54 PDT 
Comment on attachment 424201 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=424201&action=review

> Source/WebCore/ChangeLog:9
> +        Use Checked<> for the result in consumeCharacterReference() to deal with overflows
> +        in a well-defined manner.

The reason UBSan doesn’t like this is that we don’t stop doing the worthless calculations once we have overflowed. Otherwise the code was fine.

> Source/WebCore/xml/parser/CharacterReferenceParserInlines.h:107
> +                result += static_cast<UChar32>(toASCIIHexValue(character));

Surprised that we need a typecast here; would have tried to avoid it.
Comment 3 EWS 2021-03-25 11:21:03 PDT 
Committed r275048: <https://commits.webkit.org/r275048>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 424201 [details].
Comment 4 Radar WebKit Bug Importer 2021-03-25 11:22:16 PDT 
<rdar://problem/75845102>