[ubsan][bigint] Fix int overflow in BigIntToStringImpl

The result of Object::ToInteger is a number rounded to an integer value, but not necessarily in the range of what a C++ "int" can represent. Doing the 2 <= radix <= 36 range check first makes the subsequent cast safe. Bug: chromium:927212 Change-Id: I49f115140f6dc1f951cbc08a3025b3ac92ec8628 Reviewed-on: https://chromium-review.googlesource.com/c/1449040 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#59303}

[ubsan][bigint] Fix int overflow in BigIntToStringImpl
The result of Object::ToInteger is a number rounded to an integer value, but not necessarily in the range of what a C++ "int" can represent. Doing the 2 <= radix <= 36 range check first makes the subsequent cast safe. Bug: chromium:927212 Change-Id: I49f115140f6dc1f951cbc08a3025b3ac92ec8628 Reviewed-on: https://chromium-review.googlesource.com/c/1449040 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#59303}
f738c6c4 · Jakob Kummerow · Commit Bot · 84f17076 · f738c6c4 · f738c6c4
Commit f738c6c4 authored Feb 01, 2019 by Jakob Kummerow Committed by Commit Bot Feb 01, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 10 deletions

builtins-bigint.cc src/builtins/builtins-bigint.cc +9 -10

ubsan-fuzzerbugs.js test/mjsunit/ubsan-fuzzerbugs.js +3 -0

No files found.
--- a/src/builtins/builtins-bigint.cc
+++ b/src/builtins/builtins-bigint.cc
@@ -103,19 +103,18 @@ Object BigIntToStringImpl(Handle<Object> receiver, Handle<Object> radix,
      isolate, x, ThisBigIntValue(isolate, receiver, builtin_name));
  // 2. If radix is not present, let radixNumber be 10.
  // 3. Else if radix is undefined, let radixNumber be 10.
-  int radix_number;
-  if (radix->IsUndefined(isolate)) {
-    radix_number = 10;
-  } else {
+  int radix_number = 10;
+  if (!radix->IsUndefined(isolate)) {
    // 4. Else, let radixNumber be ? ToInteger(radix).
    ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, radix,
                                       Object::ToInteger(isolate, radix));
-    radix_number = static_cast<int>(radix->Number());
-  }
-  // 5. If radixNumber < 2 or radixNumber > 36, throw a RangeError exception.
-  if (radix_number < 2 || radix_number > 36) {
-    THROW_NEW_ERROR_RETURN_FAILURE(
-        isolate, NewRangeError(MessageTemplate::kToRadixFormatRange));
+    double radix_double = radix->Number();
+    // 5. If radixNumber < 2 or radixNumber > 36, throw a RangeError exception.
+    if (radix_double < 2 || radix_double > 36) {
+      THROW_NEW_ERROR_RETURN_FAILURE(
+          isolate, NewRangeError(MessageTemplate::kToRadixFormatRange));
+    }
+    radix_number = static_cast<int>(radix_double);
  }
  // Return the String representation of this Number value using the radix
  // specified by radixNumber.

--- a/test/mjsunit/ubsan-fuzzerbugs.js
+++ b/test/mjsunit/ubsan-fuzzerbugs.js
@@ -14,3 +14,6 @@ new Date(2146399200000).toString();
 new Date(2146940400000).toString();
 new Date(2147481600000).toString();
 new Date(2148022800000).toString();
+
+// crbug.com/927212
+assertThrows(() => (2n).toString(-2147483657), RangeError);