From ca13f7aaf36ee9f88368f15f294acf171c0af859 Mon Sep 17 00:00:00 2001 From: cjihrig Date: Thu, 1 Apr 2021 20:41:04 -0400 Subject: [PATCH] deps: V8: cherry-pick 501482cbc704 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Original commit message: Fix ValueDeserializer::ReadDouble() bounds check If end_ is smaller than sizeof(double), the result would wrap around, and lead to an invalid memory access. Refs: https://github.com/nodejs/node/issues/37978 Change-Id: Ibc8ddcb0c090358789a6a02f550538f91d431c1d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2801353 Reviewed-by: Marja Hölttä Commit-Queue: Marja Hölttä Cr-Commit-Position: refs/heads/master@{#73800} PR-URL: https://github.com/nodejs/node/pull/38121 Fixes: https://github.com/nodejs/node/issues/37978 Refs: https://github.com/v8/v8/commit/501482cbc704 Reviewed-By: James M Snell Reviewed-By: Jiawen Geng Reviewed-By: Darshan Sen --- common.gypi | 2 +- deps/v8/src/objects/value-serializer.cc | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/common.gypi b/common.gypi index 5e6383ab3cc44d..ba6b791a6ccf82 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.8', + 'v8_embedder_string': '-node.9', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/objects/value-serializer.cc b/deps/v8/src/objects/value-serializer.cc index 4ecf4832989292..246281e4e2b44b 100644 --- a/deps/v8/src/objects/value-serializer.cc +++ b/deps/v8/src/objects/value-serializer.cc @@ -1190,7 +1190,8 @@ Maybe ValueDeserializer::ReadZigZag() { Maybe ValueDeserializer::ReadDouble() { // Warning: this uses host endianness. - if (position_ > end_ - sizeof(double)) return Nothing(); + if (sizeof(double) > static_cast(end_ - position_)) + return Nothing(); double value; base::Memcpy(&value, position_, sizeof(double)); position_ += sizeof(double);