Closed
Bug 811264
Opened 12 years ago
Closed 11 years ago
Signed integer overflows in js::Int32ToString and IntToCString
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla28
People
(Reporter: decoder, Assigned: Waldo)
References
(Blocks 1 open bug)
Details
(Keywords: sec-want, Whiteboard: [js:t] [-fsanitize=signed-integer-overflow][qa-])
Attachments
(1 file, 1 obsolete file)
2.33 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
There are two signed integer overflows in the mentioned functions (in js/src/jsnum.cpp), when trying to get the absolute positive uint from a (checked) negative int:
> js::Int32ToString(JSContext *cx, int32_t si)
> {
> uint32_t ui;
> if (si >= 0) {
> if (StaticStrings::hasInt(si))
> return cx->runtime->staticStrings.getInt(si);
> ui = si;
> } else {
> ui = uint32_t(-si); // <<<---- HERE
> JS_ASSERT_IF(si == INT32_MIN, ui == uint32_t(INT32_MAX) + 1);
> }
and
> static char *
> IntToCString(ToCStringBuf *cbuf, int i, int base = 10)
> {
> unsigned u = (i < 0) ? -i : i; <<<---- HERE
This won't lead to immediate failures because the compiler will usually do what one expects but this isn't guaranteed. We should explicitly use the proper casts to avoid signed integer overflowing. (INT32-C, CERT Secure Coding Standard).
Attached is a patch. I'm confident about the first change, but not exactly sure if the second is correct on all platforms (but I guess it is). Feedback welcome.
Attachment #681000 -
Flags: review?(jorendorff)
Attachment #681000 -
Flags: feedback?(jdemooij)
Updated•12 years ago
|
Attachment #681000 -
Flags: feedback?(jdemooij) → feedback+
Assignee | ||
Comment 1•12 years ago
|
||
Comment on attachment 681000 [details] [diff] [review]
Patch
MSVC will warn if you apply unary minus to an unsigned type.
Could we switch this to uint32_t instead of int32_t, maybe? My recollection is our fast-path behavior only works for small unsigned numbers anyway.
Attachment #681000 -
Flags: feedback-
Updated•12 years ago
|
Whiteboard: [js:t]
Comment 2•12 years ago
|
||
(In reply to Jeff Walden [:Waldo] (remove +bmo to email) from comment #1)
> MSVC will warn if you apply unary minus to an unsigned type.
What do you recommend then? It seems like the right fix to me.
I think the hottest path into Int32ToString is from js::ToStringSlow, which obviously needs the whole int32 range covered.
Flags: needinfo?(jwalden+bmo)
Comment 3•12 years ago
|
||
Comment on attachment 681000 [details] [diff] [review]
Patch
I mean, we could certainly change Int32ToString to take a uint32_t, and then it wouldn't need to do this conversion. But we would only have moved the problem to js::ToStringSlow. And in any case COME ON we're talking about an operation that maps exactly to a single arithmetic instruction, C's exact target problem domain. Are we mice or are we hackers?
I say add the `#ifdef _MSC_VER #pragma warnings push` weaksauce in this .cpp file. The warning is dumb.
Clearing review flag for now.
(Oh - we should probably change IntToCString to Int32ToCString though.)
Attachment #681000 -
Flags: review?(jorendorff)
Assignee | ||
Comment 4•12 years ago
|
||
Oh, right, this is needed for ToStringSlow. So of course this has to be Int32ToString and Int32ToCString (renaming's clearly the right thing to do).
What we should do is move NegateNegativeInt32(int32_t i) out of jsarray.cpp and use that. For lack of a better place, maybe jsnum.h for now?
Flags: needinfo?(jwalden+bmo)
Updated•11 years ago
|
Whiteboard: [js:t] → [js:t] [-fsanitize=signed-integer-overflow]
Reporter | ||
Comment 5•11 years ago
|
||
Waldo, can we get this patch in, or does it need changes? Thanks!
Flags: needinfo?(jwalden+bmo)
Assignee | ||
Comment 6•11 years ago
|
||
Oh hey, we have mozilla::Abs to eliminate all the crazy. (And plus the rename mentioned earlier.)
Assignee: choller → jwalden+bmo
Attachment #681000 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #827644 -
Flags: review?(jorendorff)
Flags: needinfo?(jwalden+bmo)
Comment 7•11 years ago
|
||
Comment on attachment 827644 [details] [diff] [review]
Use mozilla::Abs instead of open-coding in warning-inducing ways
Review of attachment 827644 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks. And I'm sorry for vanishing for two weeks.
Attachment #827644 -
Flags: review?(jorendorff) → review+
Assignee | ||
Comment 8•11 years ago
|
||
Comment 9•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Updated•11 years ago
|
Whiteboard: [js:t] [-fsanitize=signed-integer-overflow] → [js:t] [-fsanitize=signed-integer-overflow][qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•