Skip to content

Commit

Permalink
Fix ValueDeserializer::ReadDouble() bounds check
Browse files Browse the repository at this point in the history
If end_ is smaller than sizeof(double), the result would wrap
around, and lead to an invalid memory access.

Refs: nodejs/node#37978
Change-Id: Ibc8ddcb0c090358789a6a02f550538f91d431c1d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2801353
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73800}
  • Loading branch information
cjihrig authored and Commit Bot committed Apr 6, 2021
1 parent ced669d commit 501482c
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion src/objects/value-serializer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1202,7 +1202,8 @@ Maybe<T> ValueDeserializer::ReadZigZag() {

Maybe<double> ValueDeserializer::ReadDouble() {
// Warning: this uses host endianness.
if (position_ > end_ - sizeof(double)) return Nothing<double>();
if (sizeof(double) > static_cast<unsigned>(end_ - position_))
return Nothing<double>();
double value;
base::Memcpy(&value, position_, sizeof(double));
position_ += sizeof(double);
Expand Down

0 comments on commit 501482c

Please sign in to comment.