[Webkit-unassigned] [Bug 210540] New: Fix an integer overflow in WebCrypto AES-CTR Mac implementation, which may detect a false loop

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 15 01:33:08 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=210540

            Bug ID: 210540
           Summary: Fix an integer overflow in WebCrypto AES-CTR Mac
                    implementation, which may detect a false loop
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Macintosh
                OS: macOS 10.15
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: tomoki.imai at sony.com
                CC: don.olmstead at sony.com, Hironori.Fujii at sony.com,
                    jiewen_tan at apple.com, yoshiaki.jitsukawa at sony.com

(1 << counterLength) causes an integer overflow, and the undefined behavior.
The longest valid counterLength on 64 bit machine is 63, and the literal 1 is considered as 32-bit signed integer.
Left shifting 1 beyond or to sign-bit is undefined behavior in C++ spec.

This issue is originally found in https://bugs.webkit.org/show_bug.cgi?id=208186#c2

Unfortunately, I don't own Mac so I can't test this locally.
For OpenSSL implementation the added test case could catch this issue.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200415/2d76416e/attachment.htm>

More information about the webkit-unassigned mailing list