FIX: prevent large JS integer wraparound

SamSaffron · SamSaffron · commit 42a8a0356071 · 2026-06-11T11:17:35.000+10:00
Convert integral JavaScript numbers to Ruby integers without truncating through Fixnum-sized conversions, preserving values at and above 2^62. Add coverage for large numeric eval results and callback arguments, and update the changelog.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,6 +1,7 @@
 - (Unreleased)
   - Add `Context#perform_microtask_checkpoint` to synchronously drain the V8 microtask queue, useful for spec-compliant `dispatchEvent` sequencing inside Ruby callbacks
-  - Fix native memory leaks in `Context#heap_snapshot`/`Context#write_heap_snapshot`; thanks to Pranjali Thakur from depthfrist.com
+  - Fix native memory leaks in `Context#heap_snapshot`/`Context#write_heap_snapshot`; thanks to Pranjali Thakur from depthfirst.com
+  - Fix large integral JavaScript numbers wrapping to negative Ruby integers; thanks to Pranjali Thakur from depthfirst.com
 
 - 0.21.1 - 25-05-2026
   - Run `:single_threaded` V8 dispatches on a reusable mini_racer-owned native thread so V8 does not execute on Ruby-owned threads
diff --git a/ext/mini_racer_extension/mini_racer_extension.c b/ext/mini_racer_extension/mini_racer_extension.c
@@ -316,13 +316,19 @@ static void des_bool(void *arg, int v)
 
 static void des_int(void *arg, int64_t v)
 {
-    put(arg, LONG2FIX(v));
+    put(arg, LL2NUM((LONG_LONG)v));
 }
 
 static void des_num(void *arg, double v)
 {
-    if (isfinite(v) && v == trunc(v) && v >= INT64_MIN && v <= INT64_MAX) {
-        put(arg, LONG2FIX(v));
+    if (isfinite(v) && v == trunc(v)) {
+        // INT64_MAX is not exactly representable as a double: it rounds up to
+        // 2^63, which would let 2^63 through and make the cast undefined.
+        if (v >= -0x1p63 && v < 0x1p63) {
+            put(arg, LL2NUM((LONG_LONG)v));
+        } else {
+            put(arg, rb_dbl2big(v));
+        }
     } else {
         put(arg, DBL2NUM(v));
     }
diff --git a/test/mini_racer_test.rb b/test/mini_racer_test.rb
@@ -1228,6 +1228,25 @@ def test_ruby_exception
     end
   end
 
+  def test_large_javascript_numbers_do_not_wrap
+    context = MiniRacer::Context.new
+
+    {
+      "Number.MAX_SAFE_INTEGER" => 2**53 - 1,
+      "2**62" => 2**62,
+      "2**63" => 2**63,
+      "-(2**62) - 1024" => -(2**62) - 1024,
+    }.each do |source, expected|
+      result = context.eval(source)
+      assert_kind_of Integer, result
+      assert_equal expected, result
+    end
+
+    context.attach("allow_admin", proc { |uid| [uid, uid < 0] })
+    assert_equal [7, false], context.eval("allow_admin(7)")
+    assert_equal [2**62, false], context.eval("allow_admin(2**62)")
+  end
+
   def test_large_integer
     [10_000_000_001, -2**63, 2**63-1].each { |big_int|
       context = MiniRacer::Context.new

Original file line number	Diff line number	Diff line change
`@@ -316,13 +316,19 @@ static void des_bool(void *arg, int v)`
`316`	`316`
`317`	`317`	`static void des_int(void *arg, int64_t v)`
`318`	`318`	`{`
`319`		`- put(arg, LONG2FIX(v));`
	`319`	`+ put(arg, LL2NUM((LONG_LONG)v));`
`320`	`320`	`}`
`321`	`321`
`322`	`322`	`static void des_num(void *arg, double v)`
`323`	`323`	`{`
`324`		`- if (isfinite(v) && v == trunc(v) && v >= INT64_MIN && v <= INT64_MAX) {`
`325`		`- put(arg, LONG2FIX(v));`
	`324`	`+ if (isfinite(v) && v == trunc(v)) {`
	`325`	`+ // INT64_MAX is not exactly representable as a double: it rounds up to`
	`326`	`+ // 2^63, which would let 2^63 through and make the cast undefined.`
	`327`	`+ if (v >= -0x1p63 && v < 0x1p63) {`
	`328`	`+ put(arg, LL2NUM((LONG_LONG)v));`
	`329`	`+ } else {`
	`330`	`+ put(arg, rb_dbl2big(v));`
	`331`	`+ }`
`326`	`332`	`} else {`
`327`	`333`	`put(arg, DBL2NUM(v));`
`328`	`334`	`}`