From 1baa4609252ea42065c4399b9081b2087c8d70a2 Mon Sep 17 00:00:00 2001
From: Bart Sears <bsears@google.com>
Date: Wed, 3 Nov 2010 16:03:53 -0700
Subject: Cherry-pick WebKit security fix (webkit.org r64706) Do not merge

See http://trac.webkit.org/changeset/64706

Bug:3162623

Change-Id: I17abfbac4013ea98401f4088e9079faa15b9b8d9
---
 JavaScriptCore/API/JSValueRef.cpp | 6 ++++++
 JavaScriptCore/wtf/dtoa.cpp       | 1 +
 2 files changed, 7 insertions(+)

(limited to 'JavaScriptCore')

diff --git a/JavaScriptCore/API/JSValueRef.cpp b/JavaScriptCore/API/JSValueRef.cpp
index a12cc34..518fc7b 100644
--- a/JavaScriptCore/API/JSValueRef.cpp
+++ b/JavaScriptCore/API/JSValueRef.cpp
@@ -211,6 +211,12 @@ JSValueRef JSValueMakeNumber(JSContextRef ctx, double value)
     ExecState* exec = toJS(ctx);
     APIEntryShim entryShim(exec);
 
+    // Our JSValue representation relies on a standard bit pattern for NaN. NaNs
+    // generated internally to JavaScriptCore naturally have that representation,
+    // but an external NaN might not.
+    if (isnan(value))
+        value = NaN;
+
     return toRef(exec, jsNumber(exec, value));
 }
 
diff --git a/JavaScriptCore/wtf/dtoa.cpp b/JavaScriptCore/wtf/dtoa.cpp
index 6289d04..e63be90 100644
--- a/JavaScriptCore/wtf/dtoa.cpp
+++ b/JavaScriptCore/wtf/dtoa.cpp
@@ -168,6 +168,7 @@
 #endif
 
 #define INFNAN_CHECK
+#define No_Hex_NaN
 
 #if defined(IEEE_8087) + defined(IEEE_MC68k) + defined(IEEE_ARM) != 1
 Exactly one of IEEE_8087, IEEE_ARM or IEEE_MC68k should be defined.
-- 
cgit v1.1