diff options
author | Georg Neis <neis@chromium.org> | 2021-04-19 13:12:46 +0200 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-05-07 08:28:08 +0000 |
commit | 4bf755ea017b3152b3ee9eb8fe9542ca6b374fe0 (patch) | |
tree | 2b1876642b7ff1dab0b839099c4946275790e1f2 | |
parent | bc38ef79d8c2e9ff87fac1937c31b0e5b7d740a2 (diff) | |
download | qtwebengine-chromium-4bf755ea017b3152b3ee9eb8fe9542ca6b374fe0.tar.gz |
[Backport] CVE-2021-21230: Type Confusion in V8
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2835705:
Fix off-by-one error in kAdditiveSafeInteger
Bug: chromium:1198705
Change-Id: I6b3ad82754e1ca72701ce57f16c4f085f8c87f77
Auto-Submit: Georg Neis <neis@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74033}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/v8/src/compiler/type-cache.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/chromium/v8/src/compiler/type-cache.h b/chromium/v8/src/compiler/type-cache.h index 23b84b7807c..2d285fbca15 100644 --- a/chromium/v8/src/compiler/type-cache.h +++ b/chromium/v8/src/compiler/type-cache.h @@ -75,7 +75,7 @@ class TypeCache final { Type::Union(kPositiveIntegerOrMinusZero, Type::NaN(), zone()); Type const kAdditiveSafeInteger = - CreateRange(-4503599627370496.0, 4503599627370496.0); + CreateRange(-4503599627370495.0, 4503599627370495.0); Type const kSafeInteger = CreateRange(-kMaxSafeInteger, kMaxSafeInteger); Type const kAdditiveSafeIntegerOrMinusZero = Type::Union(kAdditiveSafeInteger, Type::MinusZero(), zone()); |