From 50a26f4b8abb788b14a4a3bbfcfc22ced3251374 Mon Sep 17 00:00:00 2001
From: cjihrig <cjihrig@gmail.com>
Date: Thu, 1 Apr 2021 20:41:04 -0400
Subject: [PATCH] deps: V8: cherry-pick 501482cbc704
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Original commit message:

    Fix ValueDeserializer::ReadDouble() bounds check

    If end_ is smaller than sizeof(double), the result would wrap
    around, and lead to an invalid memory access.

    Refs: https://github.com/nodejs/node/issues/37978
    Change-Id: Ibc8ddcb0c090358789a6a02f550538f91d431c1d
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2801353
    Reviewed-by: Marja Hölttä <marja@chromium.org>
    Commit-Queue: Marja Hölttä <marja@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#73800}

Refs: https://github.com/v8/v8/commit/501482cbc704
Fixes: https://github.com/nodejs/node/issues/37978
---
 deps/v8/src/objects/value-serializer.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/deps/v8/src/objects/value-serializer.cc b/deps/v8/src/objects/value-serializer.cc
index 4ecf4832989292..246281e4e2b44b 100644
--- a/deps/v8/src/objects/value-serializer.cc
+++ b/deps/v8/src/objects/value-serializer.cc
@@ -1190,7 +1190,8 @@ Maybe<T> ValueDeserializer::ReadZigZag() {
 
 Maybe<double> ValueDeserializer::ReadDouble() {
   // Warning: this uses host endianness.
-  if (position_ > end_ - sizeof(double)) return Nothing<double>();
+  if (sizeof(double) > static_cast<unsigned>(end_ - position_))
+    return Nothing<double>();
   double value;
   base::Memcpy(&value, position_, sizeof(double));
   position_ += sizeof(double);