From aa004024cb5264799cc9ef95d1297ca6ce112c17 Mon Sep 17 00:00:00 2001 From: Michael Bruening Date: Wed, 10 Nov 2021 12:19:13 +0100 Subject: Revert "[Backport] CVE-2021-21227: Insufficient data validation in V8" This reverts commit bc38ef79d8c2e9ff87fac1937c31b0e5b7d740a2. Change-Id: I492e1c163ddda95f23cfba2b7aecc489d3ca5d75 Reviewed-by: Allan Sandfeld Jensen --- chromium/v8/src/compiler/simplified-lowering.cc | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/chromium/v8/src/compiler/simplified-lowering.cc b/chromium/v8/src/compiler/simplified-lowering.cc index e2f34f08796..867a3f9d4a5 100644 --- a/chromium/v8/src/compiler/simplified-lowering.cc +++ b/chromium/v8/src/compiler/simplified-lowering.cc @@ -1318,15 +1318,10 @@ class RepresentationSelector { Type right_feedback_type = TypeOf(node->InputAt(1)); // Using Signed32 as restriction type amounts to promising there won't be - // signed overflow. This is incompatible with relying on a Word32 truncation - // in order to skip the overflow check. Similarly, we must not drop -0 from - // the result type unless we deopt for -0 inputs. + // signed overflow. This is incompatible with relying on a Word32 + // truncation in order to skip the overflow check. Type const restriction = - truncation.IsUsedAsWord32() - ? Type::Any() - : (truncation.identify_zeros() == kIdentifyZeros) - ? Type::Signed32OrMinusZero() - : Type::Signed32(); + truncation.IsUsedAsWord32() ? Type::Any() : Type::Signed32(); // Handle the case when no int32 checks on inputs are necessary (but // an overflow check is needed on the output). Note that we do not -- cgit v1.2.1