LibJS: Avoid undefined static cast of negative values in to_u32

If the value we get after fmod in Value::to_u32 is negative, UBSAN complains that -N is out of bounds for u32. An extra static cast to i64 makes it stop complaining. An alternative implementation could add 2^32 if the fmod'd value is negative. Caught by UBSAN and oss-fuzz.
Author: https://github.com/ADKaster Commit: https://github.com/SerenityOS/serenity/commit/1f2720ce0d4 Pull-request: https://github.com/SerenityOS/serenity/pull/7643 Reviewed-by: https://github.com/awesomekling
2024-09-30 00:31:14 +00:00 · 2021-05-31 13:05:39 -06:00 · 2021-05-31 13:05:39 -06:00 · 1f2720ce0d · 2024-07-18 11:26:22 +09:00
parent 091628202f
commit 1f2720ce0d
1 changed files with 3 additions and 1 deletions
--- a/Userland/Libraries/LibJS/Runtime/Value.cpp
+++ b/Userland/Libraries/LibJS/Runtime/Value.cpp
@ -637,7 +637,9 @@ u32 Value::to_u32(GlobalObject& global_object) const
    if (signbit(value))
        int_val = -int_val;
    auto int32bit = fmod(int_val, NumericLimits<u32>::max() + 1.0);
-    return static_cast<u32>(int32bit);
+    // Cast to i64 here to ensure that the double --> u32 cast doesn't invoke undefined behavior
+    // Otherwise, negative numbers cause a UBSAN warning.
+    return static_cast<u32>(static_cast<i64>(int32bit));
 }

 // 7.1.8 ToInt16 ( argument ), https://tc39.es/ecma262/#sec-toint16