about summary refs log tree commit diff stats
path: root/lib/quickjs/quickjs.c
diff options
context:
space:
mode:
authorCharlie Gordon <github@chqrlie.org>2024-02-17 21:15:29 +0100
committerbptato <nincsnevem662@gmail.com>2024-03-02 18:12:24 +0100
commite7240962d5131d25a3214ad00b7a66929173862d (patch)
tree4aa3abdd10bc019122dbea85518a4edef7998f27 /lib/quickjs/quickjs.c
parentfe4e8e4e2d22f253270cca071b3ad3ae19a27976 (diff)
downloadchawan-e7240962d5131d25a3214ad00b7a66929173862d.tar.gz
Fix UB signed integer overflow in js_math_imul
- Use uint32_t arithmetics and Standard conformant conversion to
  avoid UB in js_math_imul.
- add builtin tests
- use specific object directories for SAN targets
Diffstat (limited to 'lib/quickjs/quickjs.c')
-rw-r--r--lib/quickjs/quickjs.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/lib/quickjs/quickjs.c b/lib/quickjs/quickjs.c
index 8e691038..bb09fbe6 100644
--- a/lib/quickjs/quickjs.c
+++ b/lib/quickjs/quickjs.c
@@ -43200,14 +43200,16 @@ static double js_math_fround(double a)
 static JSValue js_math_imul(JSContext *ctx, JSValueConst this_val,
                             int argc, JSValueConst *argv)
 {
-    int a, b;
+    uint32_t a, b, c;
+    int32_t d;
 
-    if (JS_ToInt32(ctx, &a, argv[0]))
+    if (JS_ToUint32(ctx, &a, argv[0]))
         return JS_EXCEPTION;
-    if (JS_ToInt32(ctx, &b, argv[1]))
+    if (JS_ToUint32(ctx, &b, argv[1]))
         return JS_EXCEPTION;
-    /* purposely ignoring overflow */
-    return JS_NewInt32(ctx, a * b);
+    c = a * b;
+    memcpy(&d, &c, sizeof(d));
+    return JS_NewInt32(ctx, d);
 }
 
 static JSValue js_math_clz32(JSContext *ctx, JSValueConst this_val,