[v8-dev] Reland "Harden NumberToSize against overflows." (issue 61733021)

Thu, 14 Nov 2013 03:41:19 -0800 

Reviewers: Jakob, ulan,

Description:
Reland "Harden NumberToSize against overflows."

The callers to NumberToSize are supposed to validate the number, but
this adds a last line of defense.

[email protected], [email protected]

Please review this at https://codereview.chromium.org/61733021/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+8, -1 lines):
  M src/v8conversions.h


Index: src/v8conversions.h
diff --git a/src/v8conversions.h b/src/v8conversions.h
index 3a7b5242ab79af659b15e99b0a6d53f967cd91d1..d3da9f8bb86db798e9ca5ad017a197b7bd5240d0 100644 
--- a/src/v8conversions.h
+++ b/src/v8conversions.h
@@ -60,10 +60,17 @@ inline size_t NumberToSize(Isolate* isolate,
                            Object* number) {
   SealHandleScope shs(isolate);
   if (number->IsSmi()) {
-    return Smi::cast(number)->value();
+    int value = Smi::cast(number)->value();
+    CHECK_GE(value, 0);
+    ASSERT(
+      static_cast<unsigned>(Smi::kMaxValue)
+        <= std::numeric_limits<size_t>::max());
+    return static_cast<size_t>(value);
   } else {
     ASSERT(number->IsHeapNumber());
     double value = HeapNumber::cast(number)->value();
+    CHECK(value >= 0 &&
+          value <= std::numeric_limits<size_t>::max());
     return static_cast<size_t>(value);
   }
 }


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to