diff options
author | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-10-07 17:26:06 +0200 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-10-11 09:37:18 +0000 |
commit | 0d42258e5a6278e417d8059a8ee9adf86b4b1738 (patch) | |
tree | a6f8a4c7f30363437a64667cbad2812004a7d4b4 | |
parent | 1b284e5be03a82d966a84ef0c2d09c7e3d894ccc (diff) | |
download | qtwebengine-chromium-0d42258e5a6278e417d8059a8ee9adf86b4b1738.tar.gz |
Revert "[Backport] CVE-2021-21231: Insufficient data validation in V8"
This reverts commit bda00397362bf03ff7b8d88fa54625524f604c7e.
Change-Id: Ic97b0aa8e97b4117aab09ed63fa05711b3164a35
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/v8/src/compiler/js-call-reducer.cc | 30 |
1 files changed, 9 insertions, 21 deletions
diff --git a/chromium/v8/src/compiler/js-call-reducer.cc b/chromium/v8/src/compiler/js-call-reducer.cc index a8dfd99b948..c966c4fc788 100644 --- a/chromium/v8/src/compiler/js-call-reducer.cc +++ b/chromium/v8/src/compiler/js-call-reducer.cc @@ -4513,30 +4513,24 @@ Reduction JSCallReducer::ReduceArrayPrototypePop(Node* node) { } // Compute the new {length}. - Node* new_length = graph()->NewNode(simplified()->NumberSubtract(), - length, jsgraph()->OneConstant()); - - // This extra check exists solely to break an exploitation technique - // that abuses typer mismatches. - new_length = efalse = graph()->NewNode( - simplified()->CheckBounds(p.feedback()), - new_length, length, efalse, if_false); + length = graph()->NewNode(simplified()->NumberSubtract(), length, + jsgraph()->OneConstant()); // Store the new {length} to the {receiver}. efalse = graph()->NewNode( simplified()->StoreField(AccessBuilder::ForJSArrayLength(kind)), - receiver, new_length, efalse, if_false); + receiver, length, efalse, if_false); // Load the last entry from the {elements}. vfalse = efalse = graph()->NewNode( simplified()->LoadElement(AccessBuilder::ForFixedArrayElement(kind)), - elements, new_length, efalse, if_false); + elements, length, efalse, if_false); // Store a hole to the element we just removed from the {receiver}. efalse = graph()->NewNode( simplified()->StoreElement( AccessBuilder::ForFixedArrayElement(GetHoleyElementsKind(kind))), - elements, new_length, jsgraph()->TheHoleConstant(), efalse, if_false); + elements, length, jsgraph()->TheHoleConstant(), efalse, if_false); } control = graph()->NewNode(common()->Merge(2), if_true, if_false); @@ -4689,25 +4683,19 @@ Reduction JSCallReducer::ReduceArrayPrototypeShift(Node* node) { } // Compute the new {length}. - Node* new_length = graph()->NewNode(simplified()->NumberSubtract(), - length, jsgraph()->OneConstant()); - - // This extra check exists solely to break an exploitation technique - // that abuses typer mismatches. - new_length = etrue1 = graph()->NewNode( - simplified()->CheckBounds(p.feedback()), - new_length, length, etrue1, if_true1); + length = graph()->NewNode(simplified()->NumberSubtract(), length, + jsgraph()->OneConstant()); // Store the new {length} to the {receiver}. etrue1 = graph()->NewNode( simplified()->StoreField(AccessBuilder::ForJSArrayLength(kind)), - receiver, new_length, etrue1, if_true1); + receiver, length, etrue1, if_true1); // Store a hole to the element we just removed from the {receiver}. etrue1 = graph()->NewNode( simplified()->StoreElement( AccessBuilder::ForFixedArrayElement(GetHoleyElementsKind(kind))), - elements, new_length, jsgraph()->TheHoleConstant(), etrue1, if_true1); + elements, length, jsgraph()->TheHoleConstant(), etrue1, if_true1); } Node* if_false1 = graph()->NewNode(common()->IfFalse(), branch1); |