diff options
author | Igor Sheludko <ishell@chromium.org> | 2023-04-12 16:12:16 +0200 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-05-02 08:59:08 +0000 |
commit | 84f868f86c24f7d19814a72855ea327bdfa775e5 (patch) | |
tree | 1d1b3b9f38f17512a11645c0c2101f808c5410a9 | |
parent | d82c07428deb6d22b3cfbd41e891b094145efe7e (diff) | |
download | qtwebengine-chromium-84f868f86c24f7d19814a72855ea327bdfa775e5.tar.gz |
[Backport] CVE-2023-2033: Type Confusion in V8
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/4422621:
Reland "[M108-LTS][runtime] Make Error.captureStackTrace() a no-op for global object"
This is a reland of commit 12be50e5ccf198c6353bc82fe0d17e614bfb7431
Original change's description:
> [M108-LTS][runtime] Make Error.captureStackTrace() a no-op for global object
>
> (cherry picked from commit fa81078cca6964def7a3833704e0dba7b05065d8)
>
> Bug: chromium:1432210
> Change-Id: I8aa4c3f1d9ecbfffce503085c2879416ff916c69
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4417690
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Auto-Submit: Igor Sheludko <ishell@chromium.org>
> Cr-Original-Commit-Position: refs/heads/main@{#87045}
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4422621
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/branch-heads/10.8@{#52}
> Cr-Branched-From: f1bc03fd6b4c201abd9f0fd9d51fb989150f97b9-refs/heads/10.8.168@{#1}
> Cr-Branched-From: 237de893e1c0a0628a57d0f5797483d3add7f005-refs/heads/main@{#83672}
Bug: chromium:1432210
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I4c06a76db005a61b2259b836c1f06c78eb004e16
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4459252
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/10.8@{#56}
Cr-Branched-From: f1bc03fd6b4c201abd9f0fd9d51fb989150f97b9-refs/heads/10.8.168@{#1}
Cr-Branched-From: 237de893e1c0a0628a57d0f5797483d3add7f005-refs/heads/main@{#83672}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/474370
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/v8/src/builtins/builtins-error.cc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/chromium/v8/src/builtins/builtins-error.cc b/chromium/v8/src/builtins/builtins-error.cc index adb180fba89..4a8dec419d3 100644 --- a/chromium/v8/src/builtins/builtins-error.cc +++ b/chromium/v8/src/builtins/builtins-error.cc @@ -35,6 +35,9 @@ BUILTIN(ErrorCaptureStackTrace) { THROW_NEW_ERROR_RETURN_FAILURE( isolate, NewTypeError(MessageTemplate::kInvalidArgument, object_obj)); } + if (object_obj->IsJSGlobalProxy()) { + return ReadOnlyRoots(isolate).undefined_value(); + } Handle<JSObject> object = Handle<JSObject>::cast(object_obj); Handle<Object> caller = args.atOrUndefined(isolate, 2); |