Fix integer addition/subtraction overflow (#1091)

sebastienros · Feb 16, 2022 · b271cef · b271cef
1 parent bb070cc
commit b271cef
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 5 deletions.
diff --git a/Jint.Tests/Runtime/EngineTests.cs b/Jint.Tests/Runtime/EngineTests.cs
@@ -547,6 +547,22 @@ public void NaNIsNan()
             ");
         }
 
+        [Theory]
+        [InlineData(2147483647, 1, 2147483648)]
+        [InlineData(-2147483647, -2, -2147483649)]
+        public void IntegerAdditionShouldNotOverflow(int lhs, int rhs, long result)
+        {
+            RunTest($"assert({lhs} + {rhs} == {result})");
+        }
+
+        [Theory]
+        [InlineData(2147483647, -1, 2147483648)]
+        [InlineData(-2147483647, 2, -2147483649)]
+        public void IntegerSubtractionShouldNotOverflow(int lhs, int rhs, long result)
+        {
+            RunTest($"assert({lhs} - {rhs} == {result})");
+        }
+
         [Fact]
         public void ToNumberHandlesStringObject()
         {

diff --git a/Jint/Native/JsNumber.cs b/Jint/Native/JsNumber.cs
@@ -58,17 +58,17 @@ public JsNumber(int value) : base(InternalTypes.Integer)
             _value = value;
         }
 
-        public JsNumber(uint value) : base(value < int.MaxValue ? InternalTypes.Integer : InternalTypes.Number)
+        public JsNumber(uint value) : base(value <= int.MaxValue ? InternalTypes.Integer : InternalTypes.Number)
         {
             _value = value;
         }
 
-        public JsNumber(ulong value) : base(value < int.MaxValue ? InternalTypes.Integer : InternalTypes.Number)
+        public JsNumber(ulong value) : base(value <= int.MaxValue ? InternalTypes.Integer : InternalTypes.Number)
         {
             _value = value;
         }
 
-        public JsNumber(long value) : base(value < int.MaxValue && value > int.MinValue ? InternalTypes.Integer : InternalTypes.Number)
+        public JsNumber(long value) : base(value <= int.MaxValue && value >= int.MinValue ? InternalTypes.Integer : InternalTypes.Number)
         {
             _value = value;
         }

diff --git a/Jint/Runtime/Interpreter/Expressions/JintBinaryExpression.cs b/Jint/Runtime/Interpreter/Expressions/JintBinaryExpression.cs
@@ -268,7 +268,7 @@ protected override ExpressionResult EvaluateInternal(EvaluationContext context)
 
                 if (AreIntegerOperands(left, right))
                 {
-                    return NormalCompletion(JsNumber.Create(left.AsInteger() + right.AsInteger()));
+                    return NormalCompletion(JsNumber.Create((long)left.AsInteger() + right.AsInteger()));
                 }
 
                 var lprim = TypeConverter.ToPrimitive(left);
@@ -315,7 +315,7 @@ protected override ExpressionResult EvaluateInternal(EvaluationContext context)
 
                 if (AreIntegerOperands(left, right))
                 {
-                    number = JsNumber.Create(left.AsInteger() - right.AsInteger());
+                    number = JsNumber.Create((long)left.AsInteger() - right.AsInteger());
                 }
                 else if (AreNonBigIntOperands(left, right))
                 {