Skip to content

V
V8
Commit f738c6c4 authored by Jakob Kummerow's avatar Jakob Kummerow Committed by Commit Bot
Browse files
Options

[ubsan][bigint] Fix int overflow in BigIntToStringImpl 

The result of Object::ToInteger is a number rounded to an
integer value, but not necessarily in the range of what a
C++ "int" can represent. Doing the 2 <= radix <= 36 range
check first makes the subsequent cast safe.

Bug: chromium:927212
Change-Id: I49f115140f6dc1f951cbc08a3025b3ac92ec8628
Reviewed-on: https://chromium-review.googlesource.com/c/1449040
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59303}
parent 84f17076
Hide whitespace changes
Inline Side-by-side
Showing with 12 additions and 10 deletions
src/builtins/builtins-bigint.cc
View file @ f738c6c4
...@@ -103,19 +103,18 @@ Object BigIntToStringImpl(Handle<Object> receiver, Handle<Object> radix, ...@@ -103,19 +103,18 @@ Object BigIntToStringImpl(Handle<Object> receiver, Handle<Object> radix,
isolate, x, ThisBigIntValue(isolate, receiver, builtin_name)); isolate, x, ThisBigIntValue(isolate, receiver, builtin_name));
// 2. If radix is not present, let radixNumber be 10. // 2. If radix is not present, let radixNumber be 10.
// 3. Else if radix is undefined, let radixNumber be 10. // 3. Else if radix is undefined, let radixNumber be 10.
int radix_number; int radix_number = 10;
if (radix->IsUndefined(isolate)) { if (!radix->IsUndefined(isolate)) {
radix_number = 10;
} else {
// 4. Else, let radixNumber be ? ToInteger(radix). // 4. Else, let radixNumber be ? ToInteger(radix).
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, radix, ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, radix,
Object::ToInteger(isolate, radix)); Object::ToInteger(isolate, radix));
radix_number = static_cast<int>(radix->Number()); double radix_double = radix->Number();
} // 5. If radixNumber < 2 or radixNumber > 36, throw a RangeError exception.
// 5. If radixNumber < 2 or radixNumber > 36, throw a RangeError exception. if (radix_double < 2 || radix_double > 36) {
if (radix_number < 2 || radix_number > 36) { THROW_NEW_ERROR_RETURN_FAILURE(
THROW_NEW_ERROR_RETURN_FAILURE( isolate, NewRangeError(MessageTemplate::kToRadixFormatRange));
isolate, NewRangeError(MessageTemplate::kToRadixFormatRange)); }
radix_number = static_cast<int>(radix_double);
} }
// Return the String representation of this Number value using the radix // Return the String representation of this Number value using the radix
// specified by radixNumber. // specified by radixNumber.
......
test/mjsunit/ubsan-fuzzerbugs.js
View file @ f738c6c4
...@@ -14,3 +14,6 @@ new Date(2146399200000).toString(); ...@@ -14,3 +14,6 @@ new Date(2146399200000).toString();
new Date(2146940400000).toString(); new Date(2146940400000).toString();
new Date(2147481600000).toString(); new Date(2147481600000).toString();
new Date(2148022800000).toString(); new Date(2148022800000).toString();
// crbug.com/927212
assertThrows(() => (2n).toString(-2147483657), RangeError);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment