From 43dc65d605a72e60476433622bdf086faed82467 Mon Sep 17 00:00:00 2001
From: Charlie Gordon <github@chqrlie.org>
Date: Tue, 16 Apr 2024 23:18:02 +0200
Subject: [PATCH] Fix potential conversion errors (#384)

- fix undefined behavior in double to int conversions
- do not pass an `int64_t` to `js_bool()`
---
 quickjs.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/quickjs.c b/quickjs.c
index e4d9d81..20e4e41 100644
--- a/quickjs.c
+++ b/quickjs.c
@@ -10884,6 +10884,8 @@ static __exception int JS_ToArrayLengthFree(JSContext *ctx, uint32_t *plen,
         if (JS_TAG_IS_FLOAT64(tag)) {
             double d;
             d = JS_VALUE_GET_FLOAT64(val);
+            if (!(d >= 0 && d <= UINT32_MAX))
+                goto fail;
             len = (uint32_t)d;
             if (len != d)
                 goto fail;
@@ -37570,9 +37572,10 @@ static JSValue js_array_includes(JSContext *ctx, JSValue this_val,
                                  int argc, JSValue *argv)
 {
     JSValue obj, val;
-    int64_t len, n, res;
+    int64_t len, n;
     JSValue *arrp;
     uint32_t count;
+    int res;
 
     obj = JS_ToObject(ctx, this_val);
     if (js_get_length64(ctx, &len, obj))
@@ -50000,8 +50003,10 @@ static JSValue js_typed_array_indexOf(JSContext *ctx, JSValue this_val,
     } else
     if (tag == JS_TAG_FLOAT64) {
         d = JS_VALUE_GET_FLOAT64(argv[0]);
-        v64 = d;
-        is_int = (v64 == d);
+        if (d >= INT64_MIN && d < 0x1p63) {
+            v64 = d;
+            is_int = (v64 == d);
+        }
     } else
     if (tag == JS_TAG_BIG_INT) {
         JSBigInt *p1 = JS_VALUE_GET_PTR(argv[0]);