diff options
author | Georg Neis <neis@chromium.org> | 2021-04-12 09:42:03 +0200 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2021-04-15 15:07:51 +0000 |
commit | eb3c33bf36498891c057e24d815444fc134c04ff (patch) | |
tree | e5ec473546b196418388be2a365917a2a7cad91c | |
parent | 4e224e5af48f9268d8f72b0f8adf4e9a1a470ca6 (diff) | |
download | qtwebengine-chromium-eb3c33bf36498891c057e24d815444fc134c04ff.tar.gz |
[Backport] CVE-2021-21220: Insufficient validation of untrusted input in V8 for x86_64
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2820971:
[compiler][x64] Fix bug in InstructionSelector::ChangeInt32ToInt64
Bug: chromium:1196683
Change-Id: Ib4ea738b47b64edc81450583be4c80a41698c3d1
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73903}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
-rw-r--r-- | chromium/v8/src/compiler/x64/instruction-selector-x64.cc | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/chromium/v8/src/compiler/x64/instruction-selector-x64.cc b/chromium/v8/src/compiler/x64/instruction-selector-x64.cc index b3dfb91991f..b9495417d54 100644 --- a/chromium/v8/src/compiler/x64/instruction-selector-x64.cc +++ b/chromium/v8/src/compiler/x64/instruction-selector-x64.cc @@ -1116,7 +1116,9 @@ void InstructionSelector::VisitChangeInt32ToInt64(Node* node) { opcode = load_rep.IsSigned() ? kX64Movsxwq : kX64Movzxwq; break; case MachineRepresentation::kWord32: - opcode = load_rep.IsSigned() ? kX64Movsxlq : kX64Movl; + // ChangeInt32ToInt64 must interpret its input as a _signed_ 32-bit + // integer, so here we must sign-extend the loaded value in any case. + opcode = kX64Movsxlq; break; default: UNREACHABLE(); |