AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Harden NumberToSize against overflows.

Browse Source 
The callers to NumberToSize are supposed to validate the number, but
this adds a last line of defense.

R=jkummerow@chromium.org, ulan@chromium.org

Review URL: https://codereview.chromium.org/72323003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17733 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
dslomov@chromium.org 2013-11-14 11:14:06 +00:00
parent 37dcc41d29
commit 10138add57
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/v8conversions.h
View File

@ -60,10 +60,15 @@ inline size_t NumberToSize(Isolate* isolate,
Object* number) {
SealHandleScope shs(isolate);
if (number->IsSmi()) {
return Smi::cast(number)->value();
int value = Smi::cast(number)->value();
CHECK_GE(value, 0);
ASSERT(Smi::kMaxValue <= std::numeric_limits<size_t>::max());
return static_cast<size_t>(value);
} else {
ASSERT(number->IsHeapNumber());
double value = HeapNumber::cast(number)->value();
CHECK(value >= 0 &&
value <= std::numeric_limits<size_t>::max());
return static_cast<size_t>(value);
}
}