[Webkit-unassigned] [Bug 210540] Fix an integer overflow in WebCrypto AES-CTR Mac implementation, which may detect a false loop

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 15 12:16:41 PDT 2020


https://bugs.webkit.org/show_bug.cgi?id=210540

Jiewen Tan <jiewen_tan at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #396514|review?                     |review-
              Flags|                            |

--- Comment #2 from Jiewen Tan <jiewen_tan at apple.com> ---
Comment on attachment 396514
  --> https://bugs.webkit.org/attachment.cgi?id=396514
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=396514&action=review

Good catch! Please address my comments below.

> Source/WebCore/ChangeLog:6
> +        (1 << counterLength) causes an integer overflow, and the undefined behavior.

Maybe you could reference here: https://en.cppreference.com/w/cpp/language/integer_literal.

> Source/WebCore/crypto/mac/CryptoAlgorithmAES_CTRMac.cpp:48
> +    if (counterLength < sizeof(size_t) * 8 && numberOfBlocks > ((size_t)1 << counterLength))

((size_t)1 => 1ull

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200415/92b93b73/attachment.htm>


More information about the webkit-unassigned mailing list