Fund: LibPDF: Parser::parse_number: UBSAN: outside the range of representable values of type 'int'

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/user/Desktop/serenity/Userland/Libraries/LibPDF/Parser.cpp:734:35 in

Hit this a few times while fuzzing:

/home/user/Desktop/serenity/Userland/Libraries/LibPDF/Parser.cpp:734:35: runtime error: 4.50794e+18 is outside the range of representable values of type 'int'

/home/user/Desktop/serenity/Userland/Libraries/LibPDF/Parser.cpp:734:35: runtime error: inf is outside the range of representable values of type 'int'

Parser::parse_number will continue to consume() so long as the next character is a digit. This can lead to parsing multiple digits which exceed maximum int.

Parser::parse_number contains logic to handle floats by flipping is_float boolean to true, but only if . is present. If is_float is false, the returned value is cast as int.

serenity/Userland/Libraries/LibPDF/Parser.cpp

Lines 705 to 735 in 1f894ce

    
           Value Parser::parse_number() 
        
           { 
        
               size_t start_offset = m_reader.offset(); 
        
               bool is_float = false; 
        
               if (m_reader.matches('+') || m_reader.matches('-')) 
        
                   consume(); 
        
               while (!m_reader.done()) { 
        
                   if (m_reader.matches('.')) { 
        
                       if (is_float) 
        
                           break; 
        
                       is_float = true; 
        
                       consume(); 
        
                   } else if (isdigit(m_reader.peek())) { 
        
                       consume(); 
        
                   } else { 
        
                       break; 
        
                   } 
        
               } 
        
               consume_whitespace(); 
        
               auto string = String(m_reader.bytes().slice(start_offset, m_reader.offset() - start_offset)); 
        
               float f = strtof(string.characters(), nullptr); 
        
               if (is_float) 
        
                   return Value(f); 
        
               VERIFY(floorf(f) == f); 
        
               return Value(static_cast<int>(f)); 
        
           }

SerenityOS/serenity

LibPDF: Parser::parse_number: UBSAN: outside the range of representable values of type 'int'

How does funding with Polar work?

Backer

Contributor

Maintainer

	Value Parser::parse_number()
	{
	size_t start_offset = m_reader.offset();
	bool is_float = false;

	if (m_reader.matches('+') \|\| m_reader.matches('-'))
	consume();

	while (!m_reader.done()) {
	if (m_reader.matches('.')) {
	if (is_float)
	break;
	is_float = true;
	consume();
	} else if (isdigit(m_reader.peek())) {
	consume();
	} else {
	break;
	}
	}

	consume_whitespace();

	auto string = String(m_reader.bytes().slice(start_offset, m_reader.offset() - start_offset));
	float f = strtof(string.characters(), nullptr);
	if (is_float)
	return Value(f);

	VERIFY(floorf(f) == f);
	return Value(static_cast<int>(f));
	}

SerenityOS/serenity

LibPDF: Parser::parse_number: UBSAN: outside the range of representable values of type 'int'

How does funding with Polar work?

Backer

Why does "Fund on completion" require GitHub login?

When is the invoice due for "Fund on completion"?

What happens if the issue is never completed?

Do I get any extra benefits by funding?

Do I get progress updates?

Contributor

Do I get a reward?

Is rewards guaranteed?

Maintainer

How can I get funding like this for my open source initiatives?