Revision: 17733
Author: [email protected]
Date: Thu Nov 14 11:14:06 2013 UTC
Log: Harden NumberToSize against overflows.
The callers to NumberToSize are supposed to validate the number, but
this adds a last line of defense.
[email protected], [email protected]
Review URL: https://codereview.chromium.org/72323003
http://code.google.com/p/v8/source/detail?r=17733
Modified:
/branches/bleeding_edge/src/v8conversions.h
=======================================
--- /branches/bleeding_edge/src/v8conversions.h Mon Jun 3 15:32:22 2013 UTC
+++ /branches/bleeding_edge/src/v8conversions.h Thu Nov 14 11:14:06 2013 UTC
@@ -60,10 +60,15 @@
Object* number) {
SealHandleScope shs(isolate);
if (number->IsSmi()) {
- return Smi::cast(number)->value();
+ int value = Smi::cast(number)->value();
+ CHECK_GE(value, 0);
+ ASSERT(Smi::kMaxValue <= std::numeric_limits<size_t>::max());
+ return static_cast<size_t>(value);
} else {
ASSERT(number->IsHeapNumber());
double value = HeapNumber::cast(number)->value();
+ CHECK(value >= 0 &&
+ value <= std::numeric_limits<size_t>::max());
return static_cast<size_t>(value);
}
}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
