Cherry-pick WebKit security fix (webkit.org r64706) Do not merge See http://trac.webkit.org/changeset/64706 Bug:3162623 Change-Id: I17abfbac4013ea98401f4088e9079faa15b9b8d9

commit: 1baa4609252ea42065c4399b9081b2087c8d70a2 [log] [tgz]
author: Bart Sears <bsears@google.com> Wed Nov 03 16:03:53 2010 -0700
committer: Bart Sears <bsears@google.com> Thu Nov 04 15:53:30 2010 -0700
tree: 3c003c5d98d7be38df20c8e5855b46934ea18f14
parent: 2da7ed0ba7ed78d0ccaca0a65fc07cfe202a9ed3 [diff]
diff --git a/JavaScriptCore/API/JSValueRef.cpp b/JavaScriptCore/API/JSValueRef.cpp
index a12cc34..518fc7b 100644
--- a/JavaScriptCore/API/JSValueRef.cpp
+++ b/JavaScriptCore/API/JSValueRef.cpp

@@ -211,6 +211,12 @@
     ExecState* exec = toJS(ctx);
     APIEntryShim entryShim(exec);
 
+    // Our JSValue representation relies on a standard bit pattern for NaN. NaNs
+    // generated internally to JavaScriptCore naturally have that representation,
+    // but an external NaN might not.
+    if (isnan(value))
+        value = NaN;
+
     return toRef(exec, jsNumber(exec, value));
 }
 

diff --git a/JavaScriptCore/wtf/dtoa.cpp b/JavaScriptCore/wtf/dtoa.cpp
index 6289d04..e63be90 100644
--- a/JavaScriptCore/wtf/dtoa.cpp
+++ b/JavaScriptCore/wtf/dtoa.cpp

@@ -168,6 +168,7 @@
 #endif
 
 #define INFNAN_CHECK
+#define No_Hex_NaN
 
 #if defined(IEEE_8087) + defined(IEEE_MC68k) + defined(IEEE_ARM) != 1
 Exactly one of IEEE_8087, IEEE_ARM or IEEE_MC68k should be defined.
commit	1baa4609252ea42065c4399b9081b2087c8d70a2	[log] [tgz]
author	Bart Sears <bsears@google.com>	Wed Nov 03 16:03:53 2010 -0700
committer	Bart Sears <bsears@google.com>	Thu Nov 04 15:53:30 2010 -0700
tree	3c003c5d98d7be38df20c8e5855b46934ea18f14
parent	2da7ed0ba7ed78d0ccaca0a65fc07cfe202a9ed3 [diff]