Caption numeric setters cast negative floats to unsigned int (UBSan) #309

New issue

Closed

opened 2026-04-11 21:21:59 +00:00 by john · 0 comments

john commented 2026-04-11 21:21:59 +00:00

Owner

Copy link

Found by: fuzz_property_types target (W5)

Summary

src/UICaption.cpp:216 casts a raw float to unsigned int without clamping or range-checking. Feeding a negative value (e.g. -992.065) into one of the Caption numeric setters (outline, font_size, or z_index) produces undefined behavior. UBSan reports:

runtime error: -992.065 is outside the range of representable values of type 'unsigned int'

Reproduction

Crash input preserved at:

tests/fuzz/crashes/property_types-crash-1f7141d732736d04b99d20261abd766194246ea6

Root Cause

The setter accepts a Python float and casts it directly:

// src/UICaption.cpp:216 (approx)
self->data->setSomething((unsigned int)value);

Any value < 0 or > UINT_MAX is UB on the cast.

Suggested Fix

Clamp to the valid range before the cast, e.g.:

if (value < 0.0f) value = 0.0f;
self->data->setSomething((unsigned int)value);

or change the underlying storage to a signed type if negatives are meaningful (they almost certainly aren't for outline/font_size).

Scope

Audit the other numeric setters on UICaption (and likely other UI types) for the same pattern while we're in there.

**Found by:** `fuzz_property_types` target (W5) ## Summary `src/UICaption.cpp:216` casts a raw `float` to `unsigned int` without clamping or range-checking. Feeding a negative value (e.g. `-992.065`) into one of the Caption numeric setters (`outline`, `font_size`, or `z_index`) produces undefined behavior. UBSan reports: ``` runtime error: -992.065 is outside the range of representable values of type 'unsigned int' ``` ## Reproduction Crash input preserved at: ``` tests/fuzz/crashes/property_types-crash-1f7141d732736d04b99d20261abd766194246ea6 ``` ## Root Cause The setter accepts a Python float and casts it directly: ```cpp // src/UICaption.cpp:216 (approx) self->data->setSomething((unsigned int)value); ``` Any value `< 0` or `> UINT_MAX` is UB on the cast. ## Suggested Fix Clamp to the valid range before the cast, e.g.: ```cpp if (value < 0.0f) value = 0.0f; self->data->setSomething((unsigned int)value); ``` or change the underlying storage to a signed type if negatives are meaningful (they almost certainly aren't for `outline`/`font_size`). ## Scope Audit the other numeric setters on `UICaption` (and likely other UI types) for the same pattern while we're in there.

john added the

Bugfix

system:ui-hierarchy

priority:tier1-active

labels 2026-04-11 21:21:59 +00:00

john referenced this issue from a commit 2026-04-18 00:05:58 +00:00

Clamp Caption numeric setters to prevent UBSan float->uint UB

john closed this issue 2026-04-18 00:05:58 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

threedee

emscripten-mcrogueface

rogueliketutorial25

alpha_presentable

alpha_streamline_2

alpha_streamline_1

interpreter_mode

grid_entity_integration

reprs_and_member_names

break_up_ui_h

standardize_font_handling

standardize_vector_handling

standardize_color_handling

standardize_texture_handling

raii_pyobjects

rebase-for-7DRL_Feb-2024

engjam_uicollection

engjam_ui_overhaul

0.2.3-prerelease-7drl2026-emscripten

Labels

Clear labels   

Alpha Release Requirement

This issue is a blocker to 0.1 Alpha release of McRogueFace.

  

Bugfix

  

Demo Target

Functionality to demonstrate; Depends on new features, but this issue isn't for writing them.

  

Documentation

  

Major Feature

Significant time and effort required.

  

Minor Feature

Some effort required to create or overhaul functionality.

  

priority:tier1-active

Current development focus - critical path to v1.0

  

priority:tier2-foundation

Important foundation work - not blocking v1.0

  

priority:tier3-future

Future features - deferred until after v1.0

  

priority:tier4-deferred

  

Refactoring & Cleanup

no new functionality, just improving the codebase.

  

system:animation

Animation and property interpolation

  

system:documentation

Documentation infrastructure

  

system:grid

Grid system and spatial containers

  

system:input

Input handling and events

  

system:performance

Performance optimization and profiling

  

system:procgen

Procedural Generation (Noise, BSP, Heightmap)

  

system:python-binding

Python/C++ binding layer

  

system:rendering

Rendering pipeline and visuals

  

system:ui-hierarchy

UI component hierarchy and composition

  

Tiny Feature

quick and easy - a few lines or with little interconnection around the codebase

  

workflow:blocked

Blocked by other work - waiting on dependencies

  

workflow:needs-benchmark

Needs performance testing and benchmarks

  

workflow:needs-documentation

Needs documentation before or after implementation

No labels

Alpha Release Requirement

Bugfix

Demo Target

Documentation

Major Feature

Minor Feature

priority:tier1-active

priority:tier2-foundation

priority:tier3-future

priority:tier4-deferred

Refactoring & Cleanup

system:animation

system:documentation

system:grid

system:input

system:performance

system:procgen

system:python-binding

system:rendering

system:ui-hierarchy

Tiny Feature

workflow:blocked

workflow:needs-benchmark

workflow:needs-documentation

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

john/McRogueFace#309

No description provided.