Skip to content

Commit

Permalink
deps: V8: cherry-pick 501482cbc704
Browse files Browse the repository at this point in the history
Original commit message:

    Fix ValueDeserializer::ReadDouble() bounds check

    If end_ is smaller than sizeof(double), the result would wrap
    around, and lead to an invalid memory access.

    Refs: nodejs#37978
    Change-Id: Ibc8ddcb0c090358789a6a02f550538f91d431c1d
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2801353
    Reviewed-by: Marja Hölttä <marja@chromium.org>
    Commit-Queue: Marja Hölttä <marja@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#73800}

Refs: v8/v8@501482cbc704
Fixes: nodejs#37978
  • Loading branch information
cjihrig committed Apr 7, 2021
1 parent 6986fa0 commit 50a26f4
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion deps/v8/src/objects/value-serializer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1190,7 +1190,8 @@ Maybe<T> ValueDeserializer::ReadZigZag() {

Maybe<double> ValueDeserializer::ReadDouble() {
// Warning: this uses host endianness.
if (position_ > end_ - sizeof(double)) return Nothing<double>();
if (sizeof(double) > static_cast<unsigned>(end_ - position_))
return Nothing<double>();
double value;
base::Memcpy(&value, position_, sizeof(double));
position_ += sizeof(double);
Expand Down

0 comments on commit 50a26f4

Please sign in to comment.