Commit 3f2d60c
authored
Fix #14885 Shift by negative value in TemplateSimplifier::simplifyNumericalCalculations() (#8639)
the value shift operators only reject a count >= bigint_bits, so
MathLib::value::shiftLeft still left-shifts a negative value and both
shiftLeft and shiftRight still shift by a negative count, which is
undefined behaviour. it is reachable when folding a template argument
like 0x8000000000000000 << 1 in simplifyNumericCalculations, since
MathLib::isNegative only checks for a leading minus while a large hex
literal parses to a negative bigint and the guard there lets it through.
mirror the negative-operand check calculate.h already uses and return
the operand unchanged, as is already done for oversized counts. ubsan
flags the left shift at mathlib.cpp:272 on that input.1 parent ac061da commit 3f2d60c
3 files changed
Lines changed: 20 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
369 | 369 | | |
370 | 370 | | |
371 | 371 | | |
| 372 | + | |
372 | 373 | | |
373 | 374 | | |
374 | 375 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
266 | 266 | | |
267 | 267 | | |
268 | 268 | | |
269 | | - | |
| 269 | + | |
270 | 270 | | |
271 | 271 | | |
272 | 272 | | |
| |||
278 | 278 | | |
279 | 279 | | |
280 | 280 | | |
281 | | - | |
| 281 | + | |
282 | 282 | | |
283 | 283 | | |
284 | 284 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
320 | 320 | | |
321 | 321 | | |
322 | 322 | | |
| 323 | + | |
| 324 | + | |
323 | 325 | | |
324 | 326 | | |
325 | 327 | | |
| |||
6715 | 6717 | | |
6716 | 6718 | | |
6717 | 6719 | | |
| 6720 | + | |
| 6721 | + | |
| 6722 | + | |
| 6723 | + | |
| 6724 | + | |
| 6725 | + | |
| 6726 | + | |
| 6727 | + | |
| 6728 | + | |
| 6729 | + | |
| 6730 | + | |
| 6731 | + | |
| 6732 | + | |
| 6733 | + | |
| 6734 | + | |
6718 | 6735 | | |
6719 | 6736 | | |
6720 | 6737 | | |
| |||
0 commit comments