Commit 10138add authored by dslomov@chromium.org's avatar dslomov@chromium.org

Harden NumberToSize against overflows.

The callers to NumberToSize are supposed to validate the number, but
this adds a last line of defense.

R=jkummerow@chromium.org, ulan@chromium.org

Review URL: https://codereview.chromium.org/72323003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17733 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent 37dcc41d
......@@ -60,10 +60,15 @@ inline size_t NumberToSize(Isolate* isolate,
Object* number) {
SealHandleScope shs(isolate);
if (number->IsSmi()) {
return Smi::cast(number)->value();
int value = Smi::cast(number)->value();
CHECK_GE(value, 0);
ASSERT(Smi::kMaxValue <= std::numeric_limits<size_t>::max());
return static_cast<size_t>(value);
} else {
ASSERT(number->IsHeapNumber());
double value = HeapNumber::cast(number)->value();
CHECK(value >= 0 &&
value <= std::numeric_limits<size_t>::max());
return static_cast<size_t>(value);
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment