Version
All version supporting Node-API 8+
Platform
All
Subsystem
Node-API
What steps will reproduce the bug?
Create a type tag with an upper value of 0.
static const napi_type_tag MyTypeTag = {
0xa5ed9ce2e4c00c38, 0x0
};Tag an object with it:
napi_type_tag_object(env, obj, &MyTypeTag);
Check the type tag:
bool is_my_type;
napi_check_object_type_tag(env, obj, &MyTypeTag, &is_my_type);
How often does it reproduce? Is there a required condition?
100% of the time
What is the expected behavior?
napi_check_object_type_tag will set is_my_type to true.
What do you see instead?
is_my_type remains false.
Additional information
Type tags are stored in a BigInt. If upper is 0, then the leading zero gets truncated and the length is 1. However, the follow check expects the length to always be 2.
|
if (size == 2 && sign == 0) |
This could could be something like:
napi_type_tag tag = { 0, 0 };
/* ... */
if (size <= 2 && sign == 0)
*result = (tag.lower == type_tag->lower && tag.upper == type_tag->upper);
Version
All version supporting Node-API 8+
Platform
All
Subsystem
Node-API
What steps will reproduce the bug?
Create a type tag with an
uppervalue of0.Tag an object with it:
Check the type tag:
How often does it reproduce? Is there a required condition?
100% of the time
What is the expected behavior?
napi_check_object_type_tagwill setis_my_typetotrue.What do you see instead?
is_my_typeremainsfalse.Additional information
Type tags are stored in a
BigInt. Ifupperis0, then the leading zero gets truncated and the length is1. However, the follow check expects the length to always be2.node/src/js_native_api_v8.cc
Line 2455 in 5fad0b9
This could could be something like: