diff options
| author | Charlie Gordon <github@chqrlie.org> | 2024-03-03 14:05:40 +0100 |
|---|---|---|
| committer | Charlie Gordon <github@chqrlie.org> | 2024-03-03 14:05:40 +0100 |
| commit | 06c100c9bfeef0d0c1d138153321491f7884cef3 (patch) | |
| tree | 6987131831e232535b359e97b0cee295b8ee65a5 /quickjs.h | |
| parent | 3dd93eb4e4b82ded4570a6baaf0a6418507144b7 (diff) | |
| download | quickjs-06c100c9bfeef0d0c1d138153321491f7884cef3.tar.gz quickjs-06c100c9bfeef0d0c1d138153321491f7884cef3.zip | |
Prevent UB on memcpy and floating point conversions
- add `memcpy_no_ub` that accepts null pointers for 0 count
- prevent 0 length allocation in `js_worker_postMessage`
- use safer test for `int` value in `JS_NewFloat64`,
`JS_ToArrayLengthFree` and `js_typed_array_indexOf`
Diffstat (limited to 'quickjs.h')
| -rw-r--r-- | quickjs.h | 20 |
1 files changed, 9 insertions, 11 deletions
@@ -550,23 +550,21 @@ JSValue JS_NewBigUint64(JSContext *ctx, uint64_t v); static js_force_inline JSValue JS_NewFloat64(JSContext *ctx, double d) { - JSValue v; int32_t val; union { double d; uint64_t u; } u, t; - u.d = d; - val = (int32_t)d; - t.d = val; - /* -0 cannot be represented as integer, so we compare the bit - representation */ - if (u.u == t.u) { - v = JS_MKVAL(JS_TAG_INT, val); - } else { - v = __JS_NewFloat64(ctx, d); + if (d >= INT32_MIN && d <= INT32_MAX) { + u.d = d; + val = (int32_t)d; + t.d = val; + /* -0 cannot be represented as integer, so we compare the bit + representation */ + if (u.u == t.u) + return JS_MKVAL(JS_TAG_INT, val); } - return v; + return __JS_NewFloat64(ctx, d); } static inline JS_BOOL JS_IsNumber(JSValueConst v) |