diff options
author | Georg Neis <neis@chromium.org> | 2020-09-11 16:37:47 +0200 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-10-12 12:20:21 +0000 |
commit | d6e06841443a40c99efd209bce6c96c8a7659c34 (patch) | |
tree | e368d6b650eeeb6996630f1dd2754ac969c1a7d6 | |
parent | 30570c933fce70af5a492587660a752b398140c2 (diff) | |
download | qtwebengine-chromium-d6e06841443a40c99efd209bce6c96c8a7659c34.tar.gz |
[Backport] CVE-2020-15965: Out of bounds write in V8
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2404452:
[compiler] Fix bug in SimplifiedLowering's overflow computation
It's unsound to ignore -0 inputs:
-0 - INT32_MIN is outside of INT32 range.
Bug: chromium:1126249
Change-Id: I3b92f16c1201705780acb0359975329aa2ca34d1
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/v8/src/compiler/simplified-lowering.cc | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/chromium/v8/src/compiler/simplified-lowering.cc b/chromium/v8/src/compiler/simplified-lowering.cc index ac5611f5ef5..ffc45ad59a5 100644 --- a/chromium/v8/src/compiler/simplified-lowering.cc +++ b/chromium/v8/src/compiler/simplified-lowering.cc @@ -213,10 +213,16 @@ class InputUseInfos { #endif // DEBUG bool CanOverflowSigned32(const Operator* op, Type left, Type right, - Zone* type_zone) { - // We assume the inputs are checked Signed32 (or known statically - // to be Signed32). Technically, the inputs could also be minus zero, but - // that cannot cause overflow. + TypeCache const& type_cache, Zone* type_zone) { + // We assume the inputs are checked Signed32 (or known statically to be + // Signed32). Technically, the inputs could also be minus zero, which we treat + // as 0 for the purpose of this function. + if (left.Maybe(Type::MinusZero())) { + left = Type::Union(left, type_cache.kSingletonZero, type_zone); + } + if (right.Maybe(Type::MinusZero())) { + right = Type::Union(right, type_cache.kSingletonZero, type_zone); + } left = Type::Intersect(left, Type::Signed32(), type_zone); right = Type::Intersect(right, Type::Signed32(), type_zone); if (left.IsNone() || right.IsNone()) return false; @@ -1348,7 +1354,8 @@ class RepresentationSelector { if (lower()) { if (truncation.IsUsedAsWord32() || !CanOverflowSigned32(node->op(), left_feedback_type, - right_feedback_type, graph_zone())) { + right_feedback_type, type_cache_, + graph_zone())) { ChangeToPureOp(node, Int32Op(node)); } else { |