diff options
| author | Ben Noordhuis <info@bnoordhuis.nl> | 2016-06-02 19:11:28 +0300 |
|---|---|---|
| committer | Myles Borins <mborins@us.ibm.com> | 2016-06-06 21:00:37 +0300 |
| commit | 134c3b3977318b6d98cb1ec3381f2ac61afd1370 (patch) | |
| tree | 879eaeed378adc8cd87f6cdc9e1f1a2100204ab0 | |
| parent | e2ccf6242004e38cf71fc8aa4f093f46308f09dd (diff) | |
deps: backport 3a9bfec from v8 upstream
Original commit message:
Fix overflow issue in Zone::New
When requesting a large allocation near the end of the address space,
the computation could overflow and erroneously *not* grow the Zone
as required.
BUG=chromium:606115
LOG=y
Review-Url: https://codereview.chromium.org/1930873002
Cr-Commit-Position: refs/heads/master@{#35903}
PR-URL: https://github.com/nodejs/node-private/pull/38
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
| -rw-r--r-- | deps/v8/include/v8-version.h | 2 | ||||
| -rw-r--r-- | deps/v8/src/zone.cc | 10 |
2 files changed, 9 insertions, 3 deletions
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 98dca238c85..4a4a51238e6 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 4 #define V8_MINOR_VERSION 5 #define V8_BUILD_NUMBER 103 -#define V8_PATCH_LEVEL 35 +#define V8_PATCH_LEVEL 36 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/zone.cc b/deps/v8/src/zone.cc index 9dcebba2dc1..1f722f2f608 100644 --- a/deps/v8/src/zone.cc +++ b/deps/v8/src/zone.cc @@ -105,7 +105,10 @@ void* Zone::New(size_t size) { Address result = position_; const size_t size_with_redzone = size + kASanRedzoneBytes; - if (limit_ < position_ + size_with_redzone) { + const uintptr_t limit = reinterpret_cast<uintptr_t>(limit_); + const uintptr_t position = reinterpret_cast<uintptr_t>(position_); + // position_ > limit_ can be true after the alignment correction above. + if (limit < position || size_with_redzone > limit - position) { result = NewExpand(size_with_redzone); } else { position_ += size_with_redzone; @@ -222,7 +225,10 @@ Address Zone::NewExpand(size_t size) { // Make sure the requested size is already properly aligned and that // there isn't enough room in the Zone to satisfy the request. DCHECK_EQ(size, RoundDown(size, kAlignment)); - DCHECK_LT(limit_, position_ + size); + DCHECK(limit_ < position_ || + reinterpret_cast<uintptr_t>(limit_) - + reinterpret_cast<uintptr_t>(position_) < + size); // Compute the new segment size. We use a 'high water mark' // strategy, where we increase the segment size every time we expand |