diff options
| author | Marja Hölttä <marja@chromium.org> | 2023-02-21 13:38:34 +0100 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2023-04-03 15:20:27 +0000 |
| commit | b194e3d5440746a7d0257e401c515b505dac1e8d (patch) | |
| tree | 37dfc520d39fc5431e343fa22273c4fd08996396 | |
| parent | 22fec96c83014753f8d4d709dad25902cafa1a75 (diff) | |
| download | qtwebengine-chromium-b194e3d5440746a7d0257e401c515b505dac1e8d.tar.gz | |
[Backport] CVE-2023-1214: Type Confusion in V8
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/4290144:
Merged: [valueserializer] Fix map transition chain following w/ dictionary maps
Map::Update might return a dictionary map, and the calling code didn't
take it into account.
Bug: chromium:1412487
(cherry picked from commit b0db6637936a88807b5512a4de68145d0a9d6f02)
Change-Id: I01995340856b5e21d1cda51915e8a2543428cfc4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4290144
Reviewed-by: Lutz Vahl <vahl@chromium.org>
Commit-Queue: Lutz Vahl <vahl@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/branch-heads/11.1@{#18}
Cr-Branched-From: c77793a2ee5bfa7c5226dd8f622bf331b97a5a25-refs/heads/11.1.277@{#1}
Cr-Branched-From: 95b79bf04ba3f9de87f7bad77bc2d7552e5dc4d7-refs/heads/main@{#85479}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468170
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/v8/src/objects/value-serializer.cc | 47 |
1 files changed, 24 insertions, 23 deletions
diff --git a/chromium/v8/src/objects/value-serializer.cc b/chromium/v8/src/objects/value-serializer.cc index 61a7cae8e8a..640f8621719 100644 --- a/chromium/v8/src/objects/value-serializer.cc +++ b/chromium/v8/src/objects/value-serializer.cc @@ -2408,37 +2408,38 @@ Maybe<uint32_t> ValueDeserializer::ReadJSObjectProperties( // Deserializaton of |value| might have deprecated current |target|, // ensure we are working with the up-to-date version. target = Map::Update(isolate_, target); - - InternalIndex descriptor(properties.size()); - PropertyDetails details = - target->instance_descriptors(isolate_).GetDetails(descriptor); - Representation expected_representation = details.representation(); - if (value->FitsRepresentation(expected_representation)) { - if (expected_representation.IsHeapObject() && - !target->instance_descriptors(isolate_) - .GetFieldType(descriptor) - .NowContains(value)) { - Handle<FieldType> value_type = - value->OptimalType(isolate_, expected_representation); - MapUpdater::GeneralizeField(isolate_, target, descriptor, - details.constness(), - expected_representation, value_type); - } - DCHECK(target->instance_descriptors(isolate_) + if (!target->is_dictionary_map()) { + InternalIndex descriptor(properties.size()); + PropertyDetails details = + target->instance_descriptors(isolate_).GetDetails(descriptor); + Representation expected_representation = details.representation(); + if (value->FitsRepresentation(expected_representation)) { + if (expected_representation.IsHeapObject() && + !target->instance_descriptors(isolate_) .GetFieldType(descriptor) - .NowContains(value)); - properties.push_back(value); - map = target; - continue; - } else { - transitioning = false; + .NowContains(value)) { + Handle<FieldType> value_type = + value->OptimalType(isolate_, expected_representation); + MapUpdater::GeneralizeField(isolate_, target, descriptor, + details.constness(), + expected_representation, value_type); + } + DCHECK(target->instance_descriptors(isolate_) + .GetFieldType(descriptor) + .NowContains(value)); + properties.push_back(value); + map = target; + continue; + } } + transitioning = false; } // Fell out of transitioning fast path. Commit the properties gathered so // far, and then start setting properties slowly instead. DCHECK(!transitioning); CHECK_LT(properties.size(), std::numeric_limits<uint32_t>::max()); + CHECK(!map->is_dictionary_map()); CommitProperties(object, map, properties); num_properties = static_cast<uint32_t>(properties.size()); |