diff options
author | Georg Neis <neis@chromium.org> | 2021-04-20 13:48:07 +0200 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-05-07 08:28:02 +0000 |
commit | bc38ef79d8c2e9ff87fac1937c31b0e5b7d740a2 (patch) | |
tree | 3847fb63c5762571f82118587a05a1e28c3ecf84 | |
parent | 68da9a772754afd7d21148ec0f209ea6c136250f (diff) | |
download | qtwebengine-chromium-bc38ef79d8c2e9ff87fac1937c31b0e5b7d740a2.tar.gz |
[Backport] CVE-2021-21227: Insufficient data validation in V8
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2839559:
Merged: [compiler] Fix a bug in VisitSpeculativeIntegerAdditiveOp
Revision: 9313c4ce3f32ad81df1c65becccec7e129181ce3
BUG=chromium:1199345
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=nicohartmann@chromium.org
Change-Id: I0ee9f13815b1a7d248d4caa506c6930697e1866c
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/branch-heads/9.0@{#41}
Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/v8/src/compiler/simplified-lowering.cc | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/chromium/v8/src/compiler/simplified-lowering.cc b/chromium/v8/src/compiler/simplified-lowering.cc index 867a3f9d4a5..e2f34f08796 100644 --- a/chromium/v8/src/compiler/simplified-lowering.cc +++ b/chromium/v8/src/compiler/simplified-lowering.cc @@ -1318,10 +1318,15 @@ class RepresentationSelector { Type right_feedback_type = TypeOf(node->InputAt(1)); // Using Signed32 as restriction type amounts to promising there won't be - // signed overflow. This is incompatible with relying on a Word32 - // truncation in order to skip the overflow check. + // signed overflow. This is incompatible with relying on a Word32 truncation + // in order to skip the overflow check. Similarly, we must not drop -0 from + // the result type unless we deopt for -0 inputs. Type const restriction = - truncation.IsUsedAsWord32() ? Type::Any() : Type::Signed32(); + truncation.IsUsedAsWord32() + ? Type::Any() + : (truncation.identify_zeros() == kIdentifyZeros) + ? Type::Signed32OrMinusZero() + : Type::Signed32(); // Handle the case when no int32 checks on inputs are necessary (but // an overflow check is needed on the output). Note that we do not |