From df0eb9e1fd2ba325e2696cae69650d3162393155 Mon Sep 17 00:00:00 2001
From: Igor Sheludko <ishell@chromium.org>
Date: Wed, 12 Apr 2023 16:12:16 +0200
Subject: [Backport] CVE-2023-2033: Type Confusion in V8

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/4422621:
Reland "[M108-LTS][runtime] Make Error.captureStackTrace() a no-op for global object"

This is a reland of commit 12be50e5ccf198c6353bc82fe0d17e614bfb7431

Original change's description:
> [M108-LTS][runtime] Make Error.captureStackTrace() a no-op for global object
>
> (cherry picked from commit fa81078cca6964def7a3833704e0dba7b05065d8)
>
> Bug: chromium:1432210
> Change-Id: I8aa4c3f1d9ecbfffce503085c2879416ff916c69
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4417690
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Auto-Submit: Igor Sheludko <ishell@chromium.org>
> Cr-Original-Commit-Position: refs/heads/main@{#87045}
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4422621
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/branch-heads/10.8@{#52}
> Cr-Branched-From: f1bc03fd6b4c201abd9f0fd9d51fb989150f97b9-refs/heads/10.8.168@{#1}
> Cr-Branched-From: 237de893e1c0a0628a57d0f5797483d3add7f005-refs/heads/main@{#83672}

Bug: chromium:1432210
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I4c06a76db005a61b2259b836c1f06c78eb004e16
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4459252
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/10.8@{#56}
Cr-Branched-From: f1bc03fd6b4c201abd9f0fd9d51fb989150f97b9-refs/heads/10.8.168@{#1}
Cr-Branched-From: 237de893e1c0a0628a57d0f5797483d3add7f005-refs/heads/main@{#83672}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/475989
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 chromium/v8/src/builtins/builtins-error.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/chromium/v8/src/builtins/builtins-error.cc b/chromium/v8/src/builtins/builtins-error.cc
index 840298eacbf..6d0231129b5 100644
--- a/chromium/v8/src/builtins/builtins-error.cc
+++ b/chromium/v8/src/builtins/builtins-error.cc
@@ -34,6 +34,9 @@ BUILTIN(ErrorCaptureStackTrace) {
     THROW_NEW_ERROR_RETURN_FAILURE(
         isolate, NewTypeError(MessageTemplate::kInvalidArgument, object_obj));
   }
+  if (object_obj->IsJSGlobalProxy()) {
+    return ReadOnlyRoots(isolate).undefined_value();
+  }
 
   Handle<JSObject> object = Handle<JSObject>::cast(object_obj);
   Handle<Object> caller = args.atOrUndefined(isolate, 2);
-- 
cgit v1.2.1