src/factory.h - Issue 1588013002: Robustify NewNumberFromSize against int-overflow on cast - Code Review

Chromium Code Reviews

chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out

(178)

My Issues | Starred Open | Closed | All

Unified Diff: src/factory.h

Issue 1588013002: Robustify NewNumberFromSize against int-overflow on cast (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master

Patch Set: Created 4 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-380671.js » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: src/factory.h

diff --git a/src/factory.h b/src/factory.h

index 5ef7c0d91013fd01ba5f869437d26f264a6d436b..01a2f7eecf2c2ca0b6c2f857ee267b2f12f304c7 100644

--- a/src/factory.h

+++ b/src/factory.h

@@ -343,7 +343,9 @@ class Factory final {

PretenureFlag pretenure = NOT_TENURED);

Handle<Object> NewNumberFromSize(size_t value,

PretenureFlag pretenure = NOT_TENURED) {

- if (Smi::IsValid(static_cast<intptr_t>(value))) {

+ // We can't use Smi::IsValid() here because that operates on a signed

+ // intptr_t, and casting from size_t could create a bogus sign bit.

+ if (value <= static_cast<size_t>(Smi::kMaxValue)) {

return Handle<Object>(Smi::FromIntptr(static_cast<intptr_t>(value)),

isolate());

}

« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-380671.js » ('j') | no next file with comments »

Powered by Google App Engine

This is Rietveld 408576698