Fixed undefined behaviour in njs_number_to_integer().

C11: 6.3.1.4
... If the value of the integral part cannot be represented by the
integer type, the behavior is undefined.

Found by OSS-Fuzz.

diff --git a/src/njs_number.h b/src/njs_number.h
index 77d85e33d7c9ce1a22a8231f2cb6f408dd0aadc7..4753208541dd3d1a55df156f73897ffb7292f8f2 100644 (file)
--- a/src/njs_number.h
+++ b/src/njs_number.h
@@ -56,18 +56,18 @@ njs_key_is_integer_index(double num, const njs_value_t *value)
 njs_inline int64_t
 njs_number_to_integer(double num)
 {
-    if (njs_slow_path(isinf(num))) {
-        if (num < 0) {
+    if (njs_fast_path(!isnan(num))) {
+        if (num < INT64_MIN) {
             return INT64_MIN;
-        }
 
-        return INT64_MAX;
+        } else if (num > INT64_MAX) {
+            return INT64_MAX;
+        }
 
-    } else if (njs_slow_path(isnan(num))) {
-        return 0;
+        return num;
     }
 
-    return trunc(num) + 0.0;
+    return 0;
 }
 
 

diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index 529eea7e41cc3fe5794dfd6fa4a489d2fadfb882..08612dad074a0675e5b907eb706571af3f16a8cc 100644 (file)
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -8882,6 +8882,9 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("''.repeat(2147483648)"),
       njs_str("") },
 
+    { njs_str("'aaaaaaaa'.repeat(2**64+1)"),
+      njs_str("RangeError") },
+
     { njs_str("''.repeat(Infinity)"),
       njs_str("RangeError") },