[typedarrays] Fix Out of Bound Access in TypedArraySortFast

Compare function for std::sort should satisfy strict weak ordering relation. BUG=chromium:696251 Change-Id: I1c07e3bb1b012fd203bc059a21a75ae0fc61f5ac Reviewed-on: https://chromium-review.googlesource.com/447036 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#43446}
2017-02-27 13:28:43 +09:00 · 2017-02-27 13:28:43 +09:00 · cd3a76d56f
commit cd3a76d56f
parent 1ed1622ef2
2 changed files with 18 additions and 6 deletions
--- a/src/runtime/runtime-typedarray.cc
+++ b/src/runtime/runtime-typedarray.cc
@ -375,12 +375,17 @@ namespace {
      return true;                                                \
    } else if (x > y) {                                           \
      return false;                                               \
-    } else if (x == 0 && x == y) {                                \
-      return std::signbit(static_cast<double>(x)) ? true : false; \
-    } else if (std::isnan(static_cast<double>(x))) {              \
-      return false;                                               \
+    } else {                                                      \
+      double _x = x, _y = y;                                      \
+      if (x == 0 && x == y) {                                     \
+        /* -0.0 is less than +0.0 */                              \
+        return std::signbit(_x) && !std::signbit(_y);             \
+      } else if (!std::isnan(_x) && std::isnan(_y)) {             \
+        /* number is less than NaN */                             \
+        return true;                                              \
+      }                                                           \
    }                                                             \
-    return true;                                                  \
+    return false;                                                 \
  }

 TYPED_ARRAYS(TYPED_ARRAY_SORT_COMPAREFN)
@ -399,7 +404,7 @@ RUNTIME_FUNCTION(Runtime_TypedArraySortFast) {
  ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
      isolate, array, JSTypedArray::Validate(isolate, target_obj, method));

-  // This line can be remove when JSTypedArray::Validate throws
+  // This line can be removed when JSTypedArray::Validate throws
  // if array.[[ViewedArrayBuffer]] is neutered(v8:4648)
  if (V8_UNLIKELY(array->WasNeutered())) return *array;

--- a/test/mjsunit/regress/regress-696251.js
+++ b/test/mjsunit/regress/regress-696251.js
@ -0,0 +1,7 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var a = new Uint8Array(1000);
+a.fill(255);
+a.sort();