Harden NumberToSize against overflows.

The callers to NumberToSize are supposed to validate the number, but
this adds a last line of defense.

R=jkummerow@chromium.org, ulan@chromium.org

Review URL: https://codereview.chromium.org/72323003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17733 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
dslomov@chromium.org 2013-11-14 11:14:06 +00:00
parent 37dcc41d29
commit 10138add57

View File

@ -60,10 +60,15 @@ inline size_t NumberToSize(Isolate* isolate,
Object* number) {
SealHandleScope shs(isolate);
if (number->IsSmi()) {
return Smi::cast(number)->value();
int value = Smi::cast(number)->value();
CHECK_GE(value, 0);
ASSERT(Smi::kMaxValue <= std::numeric_limits<size_t>::max());
return static_cast<size_t>(value);
} else {
ASSERT(number->IsHeapNumber());
double value = HeapNumber::cast(number)->value();
CHECK(value >= 0 &&
value <= std::numeric_limits<size_t>::max());
return static_cast<size_t>(value);
}
}