github_mirrors/quickjs
3
0
Fork 1
mirror of https://github.com/bellard/quickjs.git synced 2025-09-30 06:54:26 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix UB signed integer overflow in js_math_imul

Browse Source 
- Use uint32_t arithmetics and Standard conformant conversion to
  avoid UB in js_math_imul.
- add builtin tests
- use specific object directories for SAN targets
This commit is contained in:
Charlie Gordon
2024-02-17 21:15:29 +01:00
parent 8df4327559
commit 85fb2caeae
3 changed files with 21 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
quickjs.c
View File

@@ -43092,14 +43092,16 @@ static double js_math_fround(double a)
static JSValue js_math_imul(JSContext *ctx, JSValueConst this_val,
int argc, JSValueConst *argv)
{
int a, b;
uint32_t a, b, c;
int32_t d;
if (JS_ToInt32(ctx, &a, argv[0]))
if (JS_ToUint32(ctx, &a, argv[0]))
return JS_EXCEPTION;
if (JS_ToInt32(ctx, &b, argv[1]))
if (JS_ToUint32(ctx, &b, argv[1]))
return JS_EXCEPTION;
/* purposely ignoring overflow */
return JS_NewInt32(ctx, a * b);
c = a * b;
memcpy(&d, &c, sizeof(d));
return JS_NewInt32(ctx, d);
}
static JSValue js_math_clz32(JSContext *ctx, JSValueConst this_val,