Fix UB signed integer overflow in js_math_imul

- Use uint32_t arithmetics and Standard conformant conversion to avoid UB in js_math_imul. - add builtin tests - use specific object directories for SAN targets
author: Charlie Gordon <github@chqrlie.org> 2024-02-17 21:15:29 +0100
committer: bptato <nincsnevem662@gmail.com> 2024-03-02 18:12:24 +0100
commit: e7240962d5131d25a3214ad00b7a66929173862d (patch)
tree: 4aa3abdd10bc019122dbea85518a4edef7998f27 /lib
parent: fe4e8e4e2d22f253270cca071b3ad3ae19a27976 (diff)
download: chawan-e7240962d5131d25a3214ad00b7a66929173862d.tar.gz
1 files changed, 7 insertions, 5 deletions
diff --git a/lib/quickjs/quickjs.c b/lib/quickjs/quickjs.c
index 8e691038..bb09fbe6 100644
--- a/lib/quickjs/quickjs.c
+++ b/lib/quickjs/quickjs.c
@@ -43200,14 +43200,16 @@ static double js_math_fround(double a)
 static JSValue js_math_imul(JSContext *ctx, JSValueConst this_val,
                             int argc, JSValueConst *argv)
 {
-    int a, b;
+    uint32_t a, b, c;
+    int32_t d;
 
-    if (JS_ToInt32(ctx, &a, argv[0]))
+    if (JS_ToUint32(ctx, &a, argv[0]))
         return JS_EXCEPTION;
-    if (JS_ToInt32(ctx, &b, argv[1]))
+    if (JS_ToUint32(ctx, &b, argv[1]))
         return JS_EXCEPTION;
-    /* purposely ignoring overflow */
-    return JS_NewInt32(ctx, a * b);
+    c = a * b;
+    memcpy(&d, &c, sizeof(d));
+    return JS_NewInt32(ctx, d);
 }
 
 static JSValue js_math_clz32(JSContext *ctx, JSValueConst this_val,
author	Charlie Gordon <github@chqrlie.org>	2024-02-17 21:15:29 +0100
committer	bptato <nincsnevem662@gmail.com>	2024-03-02 18:12:24 +0100
commit	e7240962d5131d25a3214ad00b7a66929173862d (patch)
tree	4aa3abdd10bc019122dbea85518a4edef7998f27 /lib
parent	fe4e8e4e2d22f253270cca071b3ad3ae19a27976 (diff)
download	chawan-e7240962d5131d25a3214ad00b7a66929173862d.tar.gz