diff options
| author | Fabrice Bellard <fabrice@bellard.org> | 2024-01-08 18:39:26 +0100 |
|---|---|---|
| committer | Fabrice Bellard <fabrice@bellard.org> | 2024-01-08 18:39:26 +0100 |
| commit | c3635861f63931255c7a953bccbb0e2e90cc75aa (patch) | |
| tree | 5697f7611be985badfc147965e9a827aa9e8f159 /quickjs.c | |
| parent | 3c2cfabfc74e8af1f21db93884ed1ad9b6388a8c (diff) | |
| download | quickjs-c3635861f63931255c7a953bccbb0e2e90cc75aa.tar.gz quickjs-c3635861f63931255c7a953bccbb0e2e90cc75aa.zip | |
avoid potentially undefined behavior and make valgrind happy (bnoordhuis) (github issue #153)
Diffstat (limited to 'quickjs.c')
| -rw-r--r-- | quickjs.c | 26 |
1 files changed, 12 insertions, 14 deletions
@@ -7905,47 +7905,45 @@ static JSValue JS_GetPropertyValue(JSContext *ctx, JSValueConst this_obj, if (likely(JS_VALUE_GET_TAG(this_obj) == JS_TAG_OBJECT && JS_VALUE_GET_TAG(prop) == JS_TAG_INT)) { JSObject *p; - uint32_t idx, len; + uint32_t idx; /* fast path for array access */ p = JS_VALUE_GET_OBJ(this_obj); idx = JS_VALUE_GET_INT(prop); - /* Note: this code works even if 'p->u.array.count' is not - initialized. There are two cases: - - 'p' is an array-like object. 'p->u.array.count' is - initialized so the slow_path is taken when the index is - out of bounds. - - 'p' is not an array-like object. 'p->u.array.count' has - any value and potentially not initialized. In all the cases - (idx >= len or idx < len) the slow path is taken as - expected. - */ - len = (uint32_t)p->u.array.count; - if (unlikely(idx >= len)) - goto slow_path; switch(p->class_id) { case JS_CLASS_ARRAY: case JS_CLASS_ARGUMENTS: + if (unlikely(idx >= p->u.array.count)) goto slow_path; return JS_DupValue(ctx, p->u.array.u.values[idx]); case JS_CLASS_INT8_ARRAY: + if (unlikely(idx >= p->u.array.count)) goto slow_path; return JS_NewInt32(ctx, p->u.array.u.int8_ptr[idx]); case JS_CLASS_UINT8C_ARRAY: case JS_CLASS_UINT8_ARRAY: + if (unlikely(idx >= p->u.array.count)) goto slow_path; return JS_NewInt32(ctx, p->u.array.u.uint8_ptr[idx]); case JS_CLASS_INT16_ARRAY: + if (unlikely(idx >= p->u.array.count)) goto slow_path; return JS_NewInt32(ctx, p->u.array.u.int16_ptr[idx]); case JS_CLASS_UINT16_ARRAY: + if (unlikely(idx >= p->u.array.count)) goto slow_path; return JS_NewInt32(ctx, p->u.array.u.uint16_ptr[idx]); case JS_CLASS_INT32_ARRAY: + if (unlikely(idx >= p->u.array.count)) goto slow_path; return JS_NewInt32(ctx, p->u.array.u.int32_ptr[idx]); case JS_CLASS_UINT32_ARRAY: + if (unlikely(idx >= p->u.array.count)) goto slow_path; return JS_NewUint32(ctx, p->u.array.u.uint32_ptr[idx]); case JS_CLASS_BIG_INT64_ARRAY: + if (unlikely(idx >= p->u.array.count)) goto slow_path; return JS_NewBigInt64(ctx, p->u.array.u.int64_ptr[idx]); case JS_CLASS_BIG_UINT64_ARRAY: + if (unlikely(idx >= p->u.array.count)) goto slow_path; return JS_NewBigUint64(ctx, p->u.array.u.uint64_ptr[idx]); case JS_CLASS_FLOAT32_ARRAY: + if (unlikely(idx >= p->u.array.count)) goto slow_path; return __JS_NewFloat64(ctx, p->u.array.u.float_ptr[idx]); case JS_CLASS_FLOAT64_ARRAY: + if (unlikely(idx >= p->u.array.count)) goto slow_path; return __JS_NewFloat64(ctx, p->u.array.u.double_ptr[idx]); default: goto slow_path; |