[Backport] CVE-2021-21230: Type Confusion in V8

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/2835705: Fix off-by-one error in kAdditiveSafeInteger Bug: chromium:1198705 Change-Id: I6b3ad82754e1ca72701ce57f16c4f085f8c87f77 Auto-Submit: Georg Neis <neis@chromium.org> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Cr-Commit-Position: refs/heads/master@{#74033} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Georg Neis <neis@chromium.org> 2021-04-19 13:12:46 +0200
committer: Michael Brüning <michael.bruning@qt.io> 2021-05-07 08:28:08 +0000
commit: 4bf755ea017b3152b3ee9eb8fe9542ca6b374fe0 (patch)
tree: 2b1876642b7ff1dab0b839099c4946275790e1f2
parent: bc38ef79d8c2e9ff87fac1937c31b0e5b7d740a2 (diff)
download: qtwebengine-chromium-4bf755ea017b3152b3ee9eb8fe9542ca6b374fe0.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/chromium/v8/src/compiler/type-cache.h b/chromium/v8/src/compiler/type-cache.h
index 23b84b7807c..2d285fbca15 100644
--- a/chromium/v8/src/compiler/type-cache.h
+++ b/chromium/v8/src/compiler/type-cache.h
@@ -75,7 +75,7 @@ class TypeCache final {
       Type::Union(kPositiveIntegerOrMinusZero, Type::NaN(), zone());
 
   Type const kAdditiveSafeInteger =
-      CreateRange(-4503599627370496.0, 4503599627370496.0);
+      CreateRange(-4503599627370495.0, 4503599627370495.0);
   Type const kSafeInteger = CreateRange(-kMaxSafeInteger, kMaxSafeInteger);
   Type const kAdditiveSafeIntegerOrMinusZero =
       Type::Union(kAdditiveSafeInteger, Type::MinusZero(), zone());
author	Georg Neis <neis@chromium.org>	2021-04-19 13:12:46 +0200
committer	Michael Brüning <michael.bruning@qt.io>	2021-05-07 08:28:08 +0000
commit	4bf755ea017b3152b3ee9eb8fe9542ca6b374fe0 (patch)
tree	2b1876642b7ff1dab0b839099c4946275790e1f2
parent	bc38ef79d8c2e9ff87fac1937c31b0e5b7d740a2 (diff)
download	qtwebengine-chromium-4bf755ea017b3152b3ee9eb8fe9542ca6b374fe0.tar.gz