https://codereview.chromium.org/1157843006/diff/20001/src/api.cc
File src/api.cc (right):
https://codereview.chromium.org/1157843006/diff/20001/src/api.cc#newcode6276
src/api.cc:6276: int length = size * 2;
On 2015/06/05 15:05:47, Jakob wrote:
On 2015/06/03 15:35:30, adamk wrote:
> On 2015/06/03 10:44:51, jochen wrote:
> > can this overflow?
>
> NumberOfElements is stored in a Smi and is guaranteed to be
positive, so I
don't
> think so.
Uhm... I don't follow this reasoning. On 64-bit platforms, Smis and
ints both
have 32 bits including the sign, so a value close to the maximum can
absolutely
overflow when you *2 it. Please use CheckedNumerics (from safe_math.h)
for
anything that comes even remotely close to the overflow threshold, and
is
stability/security sensitive like allocations and indexed accesses
are.
Sorry, my reason was indeed bogus (I must have been thinking of 31-bit
Smis), but this is safe because OrderedHashTable::kMaxCapacity <
FixedArray::kMaxLength, which itself is already bounded well below int
overflow range.
https://codereview.chromium.org/1157843006/
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
