Undefined-shift · ubidi_getRuns_64

Description

Macros in icu/source/common/ubidiimp.h caused fuzzer to complain about Undefined-shift

Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/fuzz-3
../../third_party/icu/source/common/ubidiln.cpp:666:17: runtime error: left shift of 2 by 31 places cannot be represented in type 'int32_t' (aka 'int')
Running command: /mnt/scratch0/clusterfuzz/bot/builds/chromium-browser-libfuzzer_linux-release-ubsan_ae530a86793cd6b8b56ce9af9159ac101396e802/revisions/libfuzzer-linux-release-664253/renderer_tree_fuzzer -timeout=25 -rss_limit_mb=2048 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/fuzz-3
INFO: Seed:113855985
INFO: Loaded 1 modules (4556526 inline 8-bit counters): 4556526 [0x55d8f45bcac8, 0x55d8f4a151b6),
INFO: Loaded 1 PC tables (4556526 PCs): 4556526 [0x55d8f4a151b8,0x55d8f8f9c098),
/mnt/scratch0/clusterfuzz/bot/builds/chromium-browser-libfuzzer_linux-release-ubsan_ae530a86793cd6b8b56ce9af9159ac101396e802/revisions/libfuzzer-linux-release-664253/renderer_tree_fuzzer: Running 1 inputs 100 time(s) each.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/fuzz-3
../../third_party/icu/source/common/ubidiln.cpp:666:17: runtime error: left shift of 2 by 31 places cannot be represented in type 'int32_t' (aka 'int')
#0 0x55d8eaa5a0ca in ubidi_getRuns_64 third_party/icu/source/common/ubidiln.cpp:666:17
#1 0x55d8eaa59354 in ubidi_countRuns_64 third_party/icu/source/common/ubidiln.cpp:355:5
#2 0x55d8eaa58f15 in ubidi_getLogicalRun_64 third_party/icu/source/common/ubidiln.cpp:314:14
#3 0x55d8ef397a0e in blink::NGBidiParagraph::GetLogicalRun(unsigned int, unsigned char*) const third_party/blink/renderer/core/layout/ng/inline/ng_bidi_paragraph.cc:59:3

Here is the code in source/common/ubidiln.cpp#666

ADD_ODD_BIT_FROM_LEVEL(runs[i].logicalStart, levels[runs[i].logicalStart]);

Here is the macros in

#define INDEX_ODD_BIT (1UL<<31)

#define MAKE_INDEX_ODD_PAIR(index, level) ((index)|((int32_t)(level)<<31))
#define ADD_ODD_BIT_FROM_LEVEL(x, level) (|=((int32_t)(level)<<31))
#define REMOVE_ODD_BIT (&=~INDEX_ODD_BIT)

We probably need to change (level) to (level & 1) in MAKE_INDEX_ODD_PAIR and ADD_ODD_BIT_FROM_LEVEL

to make it happy.

Assignee

Frank Yung-Fong Tang

Reporter

Frank Yung-Fong Tang

Components

Labels

Reviewer

None

Priority

minor

Time Needed

None

Fix versions

Configure