Bug 223718 - Source/WebCore/xml/parser/CharacterReferenceParserInlines.h:107:33: runtime error: signed integer overflow: 268435455 * 16 cannot be represented in type 'int'
Summary: Source/WebCore/xml/parser/CharacterReferenceParserInlines.h:107:33: runtime e...
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
Keywords: InRadar
Depends on:
Reported: 2021-03-24 16:48 PDT by Chris Dumez
Modified: 2021-03-25 11:22 PDT (History)
4 users (show)

See Also:

Patch (4.01 KB, patch)
2021-03-24 16:50 PDT, Chris Dumez
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2021-03-24 16:48:27 PDT
Fix issue found by UBSan under consumeCharacterReference() in CharacterReferenceParserInlines.h.
Comment 1 Chris Dumez 2021-03-24 16:50:24 PDT
Created attachment 424201 [details]
Comment 2 Darin Adler 2021-03-25 10:59:54 PDT
Comment on attachment 424201 [details]

View in context: https://bugs.webkit.org/attachment.cgi?id=424201&action=review

> Source/WebCore/ChangeLog:9
> +        Use Checked<> for the result in consumeCharacterReference() to deal with overflows
> +        in a well-defined manner.

The reason UBSan doesn’t like this is that we don’t stop doing the worthless calculations once we have overflowed. Otherwise the code was fine.

> Source/WebCore/xml/parser/CharacterReferenceParserInlines.h:107
> +                result += static_cast<UChar32>(toASCIIHexValue(character));

Surprised that we need a typecast here; would have tried to avoid it.
Comment 3 EWS 2021-03-25 11:21:03 PDT
Committed r275048: <https://commits.webkit.org/r275048>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 424201 [details].
Comment 4 Radar WebKit Bug Importer 2021-03-25 11:22:16 PDT