Merge pull request #1 from leeN/primitaint-wasm-equality

Fixed equality of tainted numbers
0drai · Aug 11, 2024 · e9e49a1 · e9e49a1
2 parents b1e7e79 + ed70f3c
commit e9e49a1
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/js/src/vm/EqualityOperations.cpp b/js/src/vm/EqualityOperations.cpp
@@ -8,6 +8,8 @@
 
 #include "mozilla/Assertions.h"  // MOZ_ASSERT, MOZ_ASSERT_IF
 
+#include <iostream>
+
 #include "jsnum.h"    // js::StringToNumber
 #include "jstypes.h"  // JS_PUBLIC_API
 
@@ -35,6 +37,18 @@ static bool EqualGivenSameType(JSContext* cx, JS::Handle<JS::Value> lval,
   if (lval.isString()) {
     return js::EqualStrings(cx, lval.toString(), rval.toString(), equal);
   }
+
+  // TaintFox: special case to handle strict equality of tainted numbers.
+  if (isAnyTaintedNumber(lval, rval) &&
+      (lval.isNumber() || isTaintedNumber(lval)) &&
+      (rval.isNumber() || isTaintedNumber(rval))) {
+    double l, r;
+    if (!ToNumber(cx, lval, &l) || !ToNumber(cx, rval, &r))
+      return false;
+
+    *equal = (l == r);
+    return true;
+  }
 
   if (lval.isDouble()) {
     *equal = (lval.toDouble() == rval.toDouble());