[webkit-reviews] review granted: [Bug 223718] Source/WebCore/xml/parser/CharacterReferenceParserInlines.h:107:33: runtime error: signed integer overflow: 268435455 * 16 cannot be represented in type 'int' : [Attachment 424201] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 25 10:59:54 PDT 2021
Darin Adler <darin at apple.com> has granted Chris Dumez <cdumez at apple.com>'s
request for review:
Bug 223718: Source/WebCore/xml/parser/CharacterReferenceParserInlines.h:107:33:
runtime error: signed integer overflow: 268435455 * 16 cannot be represented in
type 'int'
https://bugs.webkit.org/show_bug.cgi?id=223718
Attachment 424201: Patch
https://bugs.webkit.org/attachment.cgi?id=424201&action=review
--- Comment #2 from Darin Adler <darin at apple.com> ---
Comment on attachment 424201
--> https://bugs.webkit.org/attachment.cgi?id=424201
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=424201&action=review
> Source/WebCore/ChangeLog:9
> + Use Checked<> for the result in consumeCharacterReference() to deal
with overflows
> + in a well-defined manner.
The reason UBSan doesn’t like this is that we don’t stop doing the worthless
calculations once we have overflowed. Otherwise the code was fine.
> Source/WebCore/xml/parser/CharacterReferenceParserInlines.h:107
> + result += static_cast<UChar32>(toASCIIHexValue(character));
Surprised that we need a typecast here; would have tried to avoid it.
More information about the webkit-reviews
mailing list