Fix potential conversion errors (#384)

- fix undefined behavior in double to int conversions - do not pass an `int64_t` to `js_bool()`
2024-04-16 23:18:02 +02:00 · 2024-04-16 23:18:02 +02:00 · 43dc65d605
commit 43dc65d605
parent 70a60f0aa1
1 changed files with 8 additions and 3 deletions
--- a/quickjs.c
+++ b/quickjs.c
@ -10884,6 +10884,8 @@ static __exception int JS_ToArrayLengthFree(JSContext *ctx, uint32_t *plen,
        if (JS_TAG_IS_FLOAT64(tag)) {
            double d;
            d = JS_VALUE_GET_FLOAT64(val);
+            if (!(d >= 0 && d <= UINT32_MAX))
+                goto fail;
            len = (uint32_t)d;
            if (len != d)
                goto fail;
@ -37570,9 +37572,10 @@ static JSValue js_array_includes(JSContext *ctx, JSValue this_val,
                                 int argc, JSValue *argv)
 {
    JSValue obj, val;
-    int64_t len, n, res;
+    int64_t len, n;
    JSValue *arrp;
    uint32_t count;
+    int res;

    obj = JS_ToObject(ctx, this_val);
    if (js_get_length64(ctx, &len, obj))
@ -50000,8 +50003,10 @@ static JSValue js_typed_array_indexOf(JSContext *ctx, JSValue this_val,
    } else
    if (tag == JS_TAG_FLOAT64) {
        d = JS_VALUE_GET_FLOAT64(argv[0]);
-        v64 = d;
-        is_int = (v64 == d);
+        if (d >= INT64_MIN && d < 0x1p63) {
+            v64 = d;
+            is_int = (v64 == d);
+        }
    } else
    if (tag == JS_TAG_BIG_INT) {
        JSBigInt *p1 = JS_VALUE_GET_PTR(argv[0]);