Harden NumberToSize against overflows.
The callers to NumberToSize are supposed to validate the number, but this adds a last line of defense. R=jkummerow@chromium.org, ulan@chromium.org Review URL: https://codereview.chromium.org/72323003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17733 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
parent
37dcc41d29
commit
10138add57
@ -60,10 +60,15 @@ inline size_t NumberToSize(Isolate* isolate,
|
|||||||
Object* number) {
|
Object* number) {
|
||||||
SealHandleScope shs(isolate);
|
SealHandleScope shs(isolate);
|
||||||
if (number->IsSmi()) {
|
if (number->IsSmi()) {
|
||||||
return Smi::cast(number)->value();
|
int value = Smi::cast(number)->value();
|
||||||
|
CHECK_GE(value, 0);
|
||||||
|
ASSERT(Smi::kMaxValue <= std::numeric_limits<size_t>::max());
|
||||||
|
return static_cast<size_t>(value);
|
||||||
} else {
|
} else {
|
||||||
ASSERT(number->IsHeapNumber());
|
ASSERT(number->IsHeapNumber());
|
||||||
double value = HeapNumber::cast(number)->value();
|
double value = HeapNumber::cast(number)->value();
|
||||||
|
CHECK(value >= 0 &&
|
||||||
|
value <= std::numeric_limits<size_t>::max());
|
||||||
return static_cast<size_t>(value);
|
return static_cast<size_t>(value);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user