Fix potential conversion errors (#384)

- fix undefined behavior in double to int conversions
- do not pass an `int64_t` to `js_bool()`
This commit is contained in:
Charlie Gordon 2024-04-16 23:18:02 +02:00 committed by GitHub
parent 70a60f0aa1
commit 43dc65d605
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -10884,6 +10884,8 @@ static __exception int JS_ToArrayLengthFree(JSContext *ctx, uint32_t *plen,
if (JS_TAG_IS_FLOAT64(tag)) {
double d;
d = JS_VALUE_GET_FLOAT64(val);
if (!(d >= 0 && d <= UINT32_MAX))
goto fail;
len = (uint32_t)d;
if (len != d)
goto fail;
@ -37570,9 +37572,10 @@ static JSValue js_array_includes(JSContext *ctx, JSValue this_val,
int argc, JSValue *argv)
{
JSValue obj, val;
int64_t len, n, res;
int64_t len, n;
JSValue *arrp;
uint32_t count;
int res;
obj = JS_ToObject(ctx, this_val);
if (js_get_length64(ctx, &len, obj))
@ -50000,8 +50003,10 @@ static JSValue js_typed_array_indexOf(JSContext *ctx, JSValue this_val,
} else
if (tag == JS_TAG_FLOAT64) {
d = JS_VALUE_GET_FLOAT64(argv[0]);
v64 = d;
is_int = (v64 == d);
if (d >= INT64_MIN && d < 0x1p63) {
v64 = d;
is_int = (v64 == d);
}
} else
if (tag == JS_TAG_BIG_INT) {
JSBigInt *p1 = JS_VALUE_GET_PTR(argv[0]);