RESOLVED FIXED 223718
Source/WebCore/xml/parser/CharacterReferenceParserInlines.h:107:33: runtime error: signed integer overflow: 268435455 * 16 cannot be represented in type 'int' 
https://bugs.webkit.org/show_bug.cgi?id=223718
Summary Source/WebCore/xml/parser/CharacterReferenceParserInlines.h:107:33: runtime e...
Chris Dumez
Reported 2021-03-24 16:48:27 PDT
Fix issue found by UBSan under consumeCharacterReference() in CharacterReferenceParserInlines.h.
Attachments
Patch (4.01 KB, patch)
2021-03-24 16:50 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2021-03-24 16:50:24 PDT
Created attachment 424201 [details] Patch
Darin Adler
Comment 2 2021-03-25 10:59:54 PDT
Comment on attachment 424201 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=424201&action=review > Source/WebCore/ChangeLog:9 > + Use Checked<> for the result in consumeCharacterReference() to deal with overflows > + in a well-defined manner. The reason UBSan doesn’t like this is that we don’t stop doing the worthless calculations once we have overflowed. Otherwise the code was fine. > Source/WebCore/xml/parser/CharacterReferenceParserInlines.h:107 > + result += static_cast<UChar32>(toASCIIHexValue(character)); Surprised that we need a typecast here; would have tried to avoid it.
EWS
Comment 3 2021-03-25 11:21:03 PDT
Committed r275048: <https://commits.webkit.org/r275048> All reviewed patches have been landed. Closing bug and clearing flags on attachment 424201 [details].
Radar WebKit Bug Importer
Comment 4 2021-03-25 11:22:16 PDT
<rdar://problem/75845102>
Note You need to log in before you can comment on or make changes to this bug.