From: Dmitry Volyntsev <xeioex@nginx.com>
Date: Mon, 24 May 2021 10:51:47 +0000 (+0000)
Subject: Fixed undefined behaviour in njs_number_to_integer().
X-Git-Tag: 0.6.0~23
X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=8c83899e1ed6933aebb917d190d10a0def788e63;p=njs.git

Fixed undefined behaviour in njs_number_to_integer().

C11: 6.3.1.4
... If the value of the integral part cannot be represented by the
integer type, the behavior is undefined.

Found by OSS-Fuzz.
---

diff --git a/src/njs_number.h b/src/njs_number.h
index 77d85e33..47532085 100644
--- a/src/njs_number.h
+++ b/src/njs_number.h
@@ -56,18 +56,18 @@ njs_key_is_integer_index(double num, const njs_value_t *value)
 njs_inline int64_t
 njs_number_to_integer(double num)
 {
-    if (njs_slow_path(isinf(num))) {
-        if (num < 0) {
+    if (njs_fast_path(!isnan(num))) {
+        if (num < INT64_MIN) {
             return INT64_MIN;
-        }
 
-        return INT64_MAX;
+        } else if (num > INT64_MAX) {
+            return INT64_MAX;
+        }
 
-    } else if (njs_slow_path(isnan(num))) {
-        return 0;
+        return num;
     }
 
-    return trunc(num) + 0.0;
+    return 0;
 }
 
 
diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index 529eea7e..08612dad 100644
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -8882,6 +8882,9 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("''.repeat(2147483648)"),
       njs_str("") },
 
+    { njs_str("'aaaaaaaa'.repeat(2**64+1)"),
+      njs_str("RangeError") },
+
     { njs_str("''.repeat(Infinity)"),
       njs_str("RangeError") },