projects / platform / upstream / v8.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c6705f5)
Reland "Harden NumberToSize against overflows."
authordslomov@chromium.org <dslomov@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Thu, 14 Nov 2013 11:40:32 +0000 (11:40 +0000)
committerdslomov@chromium.org <dslomov@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Thu, 14 Nov 2013 11:40:32 +0000 (11:40 +0000)
The callers to NumberToSize are supposed to validate the number, but
this adds a last line of defense.

TBR=jkummerow@chromium.org, ulan@chromium.org

Review URL: https://codereview.chromium.org/61733021

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17737 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/v8conversions.h patch | blob | history

diff --git a/src/v8conversions.h b/src/v8conversions.h
index 3a7b524..d3da9f8 100644 (file)
--- a/src/v8conversions.h
+++ b/src/v8conversions.h
@@ -60,10 +60,17 @@ inline size_t NumberToSize(Isolate* isolate,
                            Object* number) {
   SealHandleScope shs(isolate);
   if (number->IsSmi()) {
-    return Smi::cast(number)->value();
+    int value = Smi::cast(number)->value();
+    CHECK_GE(value, 0);
+    ASSERT(
+      static_cast<unsigned>(Smi::kMaxValue)
+        <= std::numeric_limits<size_t>::max());
+    return static_cast<size_t>(value);
   } else {
     ASSERT(number->IsHeapNumber());
     double value = HeapNumber::cast(number)->value();
+    CHECK(value >= 0 &&
+          value <= std::numeric_limits<size_t>::max());
     return static_cast<size_t>(value);
   }
 }
Domain: Web Framework / Web Engine;