diff options
| author | Charlie Gordon <github@chqrlie.org> | 2024-02-17 21:15:29 +0100 |
|---|---|---|
| committer | Charlie Gordon <github@chqrlie.org> | 2024-02-17 21:15:29 +0100 |
| commit | 85fb2caeae86bc7962ff8740f24a3f462e8b3f53 (patch) | |
| tree | cef1e7770ab68982045d51e0349feb1d0a58f2f7 /quickjs.c | |
| parent | 8df432755914ca02476b34d9bf0e54e21d75b05f (diff) | |
| download | quickjs-85fb2caeae86bc7962ff8740f24a3f462e8b3f53.tar.gz quickjs-85fb2caeae86bc7962ff8740f24a3f462e8b3f53.zip | |
Fix UB signed integer overflow in js_math_imul
- Use uint32_t arithmetics and Standard conformant conversion to
avoid UB in js_math_imul.
- add builtin tests
- use specific object directories for SAN targets
Diffstat (limited to 'quickjs.c')
| -rw-r--r-- | quickjs.c | 12 |
1 files changed, 7 insertions, 5 deletions
@@ -43092,14 +43092,16 @@ static double js_math_fround(double a) static JSValue js_math_imul(JSContext *ctx, JSValueConst this_val, int argc, JSValueConst *argv) { - int a, b; + uint32_t a, b, c; + int32_t d; - if (JS_ToInt32(ctx, &a, argv[0])) + if (JS_ToUint32(ctx, &a, argv[0])) return JS_EXCEPTION; - if (JS_ToInt32(ctx, &b, argv[1])) + if (JS_ToUint32(ctx, &b, argv[1])) return JS_EXCEPTION; - /* purposely ignoring overflow */ - return JS_NewInt32(ctx, a * b); + c = a * b; + memcpy(&d, &c, sizeof(d)); + return JS_NewInt32(ctx, d); } static JSValue js_math_clz32(JSContext *ctx, JSValueConst this_val, |