Undefined behavior in fix for bug 1140537

NEW
Unassigned

Status

()

Core
XML
a year ago
a year ago

People

(Reporter: mccr8, Unassigned)

Tracking

({csectype-undefined})

Trunk
csectype-undefined
Points:
---

Firefox Tracking Flags

(firefox49 affected)

Details

(Reporter)

Description

a year ago
It sounds like checking overflow by seeing if the addition of two positive values is negative is undefined behavior, and a sufficiently smart compiler is then allowed to remove the check. It sounds like newer versions of GCC can do this sometimes, though I'm not sure if they do it in this particular case.

This was reported to me on Twitter: https://twitter.com/spun_off/status/730281375828480001

Anyways, we should probably use CheckedInt instead.
(Reporter)

Updated

a year ago
Keywords: csectype-undefined
Seems like it's not an issue yet:

> yes apparently the only reason expat compiled with GCC is safe is that GCC doesn't infer yet that bufferSize is positive before loop
See also bug 1031653 (not an actual See Also because those are public, although this one was discussed in public so that may not matter).
(Reporter)

Updated

a year ago
Blocks: 1140537
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.