Closed
Bug 811355
Opened 12 years ago
Closed 11 years ago
Signed integer overflow in js::random_next
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: sec-want, Whiteboard: [-fsanitize=signed-integer-overflow])
Attachments
(1 file)
|
2.39 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
The following code in js/src/jsmath.cpp performs unchecked multiplication of a signed integer (which can actually be large enough to overflow):
> extern uint64_t
> random_next(int64_t *rngSeed, int bits)
> {
> uint64_t nextseed = *rngSeed * RNG_MULTIPLIER;
> nextseed += RNG_ADDEND;
> nextseed &= RNG_MASK;
> *rngSeed = nextseed;
> return nextseed >> (48 - bits);
> }
This won't lead to an immediate failure here, but signed integer overflowing is not defined according to the C standard and should not be used (INT32-C, CERT Secure Coding Standard).
jorendorff suggested to just make rngSeed unsigned in the JSContext. Patch for this is attached.
Attachment #681100 -
Flags: review?(jorendorff)
|
||
Updated•12 years ago
|
Attachment #681100 -
Flags: review?(jorendorff) → review+
|
||
Updated•11 years ago
|
Whiteboard: [-fsanitize=signed-integer-overflow]
|
||
Comment 1•11 years ago
|
||
This got fixed in 7702047b003f for bug 820180.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•