diff options
| author | cjihrig <cjihrig@gmail.com> | 2021-04-02 03:41:04 +0300 |
|---|---|---|
| committer | Danielle Adams <adamzdanielle@gmail.com> | 2021-05-08 19:44:38 +0300 |
| commit | a6dba4de55f7c40211960aa49f08a33701f58309 (patch) | |
| tree | e7ce5460407eda45c4109756dfe24d9222b6afbe /deps | |
| parent | 854a2a9c8aa0b307c657da35a98cddfbd83ae5b1 (diff) | |
deps: V8: cherry-pick 501482cbc704
Original commit message:
Fix ValueDeserializer::ReadDouble() bounds check
If end_ is smaller than sizeof(double), the result would wrap
around, and lead to an invalid memory access.
Refs: https://github.com/nodejs/node/issues/37978
Change-Id: Ibc8ddcb0c090358789a6a02f550538f91d431c1d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2801353
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73800}
PR-URL: https://github.com/nodejs/node/pull/38121
Fixes: https://github.com/nodejs/node/issues/37978
Refs: https://github.com/v8/v8/commit/501482cbc704
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Diffstat (limited to 'deps')
| -rw-r--r-- | deps/v8/src/objects/value-serializer.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/deps/v8/src/objects/value-serializer.cc b/deps/v8/src/objects/value-serializer.cc index 9e79f9ba434..74c3d15e185 100644 --- a/deps/v8/src/objects/value-serializer.cc +++ b/deps/v8/src/objects/value-serializer.cc @@ -1175,7 +1175,8 @@ Maybe<T> ValueDeserializer::ReadZigZag() { Maybe<double> ValueDeserializer::ReadDouble() { // Warning: this uses host endianness. - if (position_ > end_ - sizeof(double)) return Nothing<double>(); + if (sizeof(double) > static_cast<unsigned>(end_ - position_)) + return Nothing<double>(); double value; memcpy(&value, position_, sizeof(double)); position_ += sizeof(double); |