diff options
author | cjihrig <cjihrig@gmail.com> | 2021-04-02 03:41:04 +0300 |
---|---|---|
committer | cjihrig <cjihrig@gmail.com> | 2021-04-09 05:27:03 +0300 |
commit | ca13f7aaf36ee9f88368f15f294acf171c0af859 (patch) | |
tree | 351f0059c4a0c1e757c65b2f01c6e3de3d202192 /deps | |
parent | dfe3f952a3ecbb9c046497e7e0b73e6104082072 (diff) |
deps: V8: cherry-pick 501482cbc704
Original commit message:
Fix ValueDeserializer::ReadDouble() bounds check
If end_ is smaller than sizeof(double), the result would wrap
around, and lead to an invalid memory access.
Refs: https://github.com/nodejs/node/issues/37978
Change-Id: Ibc8ddcb0c090358789a6a02f550538f91d431c1d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2801353
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73800}
PR-URL: https://github.com/nodejs/node/pull/38121
Fixes: https://github.com/nodejs/node/issues/37978
Refs: https://github.com/v8/v8/commit/501482cbc704
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Diffstat (limited to 'deps')
-rw-r--r-- | deps/v8/src/objects/value-serializer.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/deps/v8/src/objects/value-serializer.cc b/deps/v8/src/objects/value-serializer.cc index 4ecf4832989..246281e4e2b 100644 --- a/deps/v8/src/objects/value-serializer.cc +++ b/deps/v8/src/objects/value-serializer.cc @@ -1190,7 +1190,8 @@ Maybe<T> ValueDeserializer::ReadZigZag() { Maybe<double> ValueDeserializer::ReadDouble() { // Warning: this uses host endianness. - if (position_ > end_ - sizeof(double)) return Nothing<double>(); + if (sizeof(double) > static_cast<unsigned>(end_ - position_)) + return Nothing<double>(); double value; base::Memcpy(&value, position_, sizeof(double)); position_ += sizeof(double); |