Harden NumberToSize against overflows.

The callers to NumberToSize are supposed to validate the number, but this adds a last line of defense. R=jkummerow@chromium.org, ulan@chromium.org Review URL: https://codereview.chromium.org/72323003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17733 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Harden NumberToSize against overflows.
The callers to NumberToSize are supposed to validate the number, but this adds a last line of defense. R=jkummerow@chromium.org, ulan@chromium.org Review URL: https://codereview.chromium.org/72323003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17733 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
10138add · dslomov@chromium.org · 37dcc41d · 10138add
Commit 10138add authored Nov 14, 2013 by dslomov@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

v8conversions.h src/v8conversions.h +6 -1

No files found.
--- a/src/v8conversions.h
+++ b/src/v8conversions.h
@@ -60,10 +60,15 @@ inline size_t NumberToSize(Isolate* isolate,
                           Object* number) {
  SealHandleScope shs(isolate);
  if (number->IsSmi()) {
-    return Smi::cast(number)->value();
+    int value = Smi::cast(number)->value();
+    CHECK_GE(value, 0);
+    ASSERT(Smi::kMaxValue <= std::numeric_limits<size_t>::max());
+    return static_cast<size_t>(value);
  } else {
    ASSERT(number->IsHeapNumber());
    double value = HeapNumber::cast(number)->value();
+    CHECK(value >= 0 &&
+          value <= std::numeric_limits<size_t>::max());
    return static_cast<size_t>(value);
  }
 }