RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 11:17:44 +00:00
Code Issues Activity Actions

LibJS: Ensure shift values in shift_right are modded by 32

Browse source 
The unsigned shift right implementation was already doing this, but
the spec requires a mod32 of rhs before the shift for the signed shift
right implementation as well. Caught by UBSAN and oss-fuzz.
This commit is contained in:
Andrew Kaster 2021-05-31 13:08:49 -06:00 committed by Andreas Kling
parent 1f2720ce0d
commit e389ae3c97
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Userland/Libraries/LibJS/Runtime/Value.cpp
View file

@ -1020,7 +1020,7 @@ Value right_shift(GlobalObject& global_object, Value lhs, Value rhs)
if (!rhs_numeric.is_finite_number())
return lhs_numeric;
auto lhs_i32 = lhs_numeric.to_i32(global_object);
auto rhs_u32 = rhs_numeric.to_u32(global_object);
auto rhs_u32 = rhs_numeric.to_u32(global_object) % 32;
return Value(lhs_i32 >> rhs_u32);
}
if (both_bigint(lhs_numeric, rhs_numeric)) {