Reviewers: Jakob, ulan,
Message:
PTAL.
Description:
Harden NumberToSize against overflows.
The callers to NumberToSize are supposed to validate the number, but
this adds a last line of defense.
[email protected],[email protected]
Please review this at https://codereview.chromium.org/72323003/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+5, -0 lines):
M src/v8conversions.h
Index: src/v8conversions.h
diff --git a/src/v8conversions.h b/src/v8conversions.h
index
3a7b5242ab79af659b15e99b0a6d53f967cd91d1..f3d0992d62b2ccb030b54f260cce604d0ec20ec5
100644
--- a/src/v8conversions.h
+++ b/src/v8conversions.h
@@ -60,10 +60,15 @@ inline size_t NumberToSize(Isolate* isolate,
Object* number) {
SealHandleScope shs(isolate);
if (number->IsSmi()) {
+ int value = Smi::cast(number)->value();
+ CHECK(value >= 0
+ && static_cast<unsigned>(value) <=
std::numeric_limits<size_t>::max());
return Smi::cast(number)->value();
} else {
ASSERT(number->IsHeapNumber());
double value = HeapNumber::cast(number)->value();
+ CHECK(value >= 0 &&
+ value <= std::numeric_limits<size_t>::max());
return static_cast<size_t>(value);
}
}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
