RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 14:57:35 +00:00
Code Issues Activity Actions

LibJS: Make int_part a double in StringPrototype::to_string

Browse source 
u64 is not big enough to hold extremely large numbers, such as
4.192938423e+54. This would cause an integer underflow on the radix
index when performing something like `toString(36)` and thus cause an
OOB Array read.
This commit is contained in:
Luke Wilde 2023-02-28 19:27:28 +00:00 committed by Andreas Kling
parent 52a6f1ff8c
commit ddc7bedca6
2 changed files with 59 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
Userland/Libraries/LibJS/Runtime/NumberPrototype.cpp
View file

@ -459,7 +459,7 @@ JS_DEFINE_NATIVE_FUNCTION(NumberPrototype::to_string)
if (negative)
number *= -1;
u64 int_part = floor(number);
double int_part = floor(number);
double decimal_part = number - int_part;
int radix = (int)radix_mv;
@ -469,8 +469,9 @@ JS_DEFINE_NATIVE_FUNCTION(NumberPrototype::to_string)
backwards_characters.append('0');
} else {
while (int_part > 0) {
backwards_characters.append(digits[int_part % radix]);
backwards_characters.append(digits[floor(fmod(int_part, radix))]);
int_part /= radix;
int_part = floor(int_part);
}
}