LibJS: Avoid undefined static cast of negative values in to_u32

If the value we get after fmod in Value::to_u32 is negative, UBSAN complains that -N is out of bounds for u32. An extra static cast to i64 makes it stop complaining. An alternative implementation could add 2^32 if the fmod'd value is negative. Caught by UBSAN and oss-fuzz.
author: Andrew Kaster <akaster@serenityos.org> 2021-05-31 13:05:39 -0600
committer: Andreas Kling <kling@serenityos.org> 2021-06-27 22:35:37 +0200
commit: 1f2720ce0d43e74100ef093cd0222780e8929bab (patch)
tree: 89cc675a49761eba81f3cbff821c38d72c07a181
parent: 091628202f17015d3cb3c1813d5deb5139410a13 (diff)
download: serenity-1f2720ce0d43e74100ef093cd0222780e8929bab.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/Userland/Libraries/LibJS/Runtime/Value.cpp b/Userland/Libraries/LibJS/Runtime/Value.cpp
index e2b0eac70d..0317f35882 100644
--- a/Userland/Libraries/LibJS/Runtime/Value.cpp
+++ b/Userland/Libraries/LibJS/Runtime/Value.cpp
@@ -637,7 +637,9 @@ u32 Value::to_u32(GlobalObject& global_object) const
     if (signbit(value))
         int_val = -int_val;
     auto int32bit = fmod(int_val, NumericLimits<u32>::max() + 1.0);
-    return static_cast<u32>(int32bit);
+    // Cast to i64 here to ensure that the double --> u32 cast doesn't invoke undefined behavior
+    // Otherwise, negative numbers cause a UBSAN warning.
+    return static_cast<u32>(static_cast<i64>(int32bit));
 }
 
 // 7.1.8 ToInt16 ( argument ), https://tc39.es/ecma262/#sec-toint16
author	Andrew Kaster <akaster@serenityos.org>	2021-05-31 13:05:39 -0600
committer	Andreas Kling <kling@serenityos.org>	2021-06-27 22:35:37 +0200
commit	1f2720ce0d43e74100ef093cd0222780e8929bab (patch)
tree	89cc675a49761eba81f3cbff821c38d72c07a181
parent	091628202f17015d3cb3c1813d5deb5139410a13 (diff)
download	serenity-1f2720ce0d43e74100ef093cd0222780e8929bab.zip