deps: V8: cherry-pick 91f0cd0

Original commit message:

    [ubsan] Fix various ClusterFuzz-found issues

    Fixing a few float and int overflows.
    Drive-by fix: with --experimental-wasm-bigint, Number values
    may not be used to initialize i64-typed globals. The existing
    code for doing that relied on UB; since it's a spec violation
    the fix is to throw instead.

    No regression test for 933103 because it will OOM anyway.
    No regression test for 932896 because it would be extremely slow.

    Bug: chromium:927894, chromium:927996, chromium:930086, chromium:932679, chromium:932896, chromium:933103, chromium:933134
    Change-Id: Iae1c1ff1038af4512a52d3e56b8c4b75f2233314
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1495911
    Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
    Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
    Reviewed-by: Adam Klein <adamk@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#60075}

Refs: https://github.com/v8/v8/commit/91f0cd00820a6e8d4567c1ce3a51d48a28165ab5

PR-URL: https://github.com/nodejs/node/pull/26685
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>

2 files changed, 14 insertions, 12 deletions

diff --git a/deps/v8/src/builtins/builtins-string.cc b/deps/v8/src/builtins/builtins-string.cc
index d114a0e86b..43edd628d7 100644
--- a/deps/v8/src/builtins/builtins-string.cc
+++ b/deps/v8/src/builtins/builtins-string.cc
@@ -448,7 +448,12 @@ BUILTIN(StringRaw) {
                                      Object::ToLength(isolate, raw_len));
 
   IncrementalStringBuilder result_builder(isolate);
-  const uint32_t length = static_cast<uint32_t>(raw_len->Number());
+  // Intentional spec violation: we ignore {length} values >= 2^32, because
+  // assuming non-empty chunks they would generate too-long strings anyway.
+  const double raw_len_number = raw_len->Number();
+  const uint32_t length = raw_len_number > std::numeric_limits<uint32_t>::max()
+                              ? std::numeric_limits<uint32_t>::max()
+                              : static_cast<uint32_t>(raw_len_number);
   if (length > 0) {
     Handle<Object> first_element;
     ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, first_element,
diff --git a/deps/v8/src/builtins/builtins-typed-array.cc b/deps/v8/src/builtins/builtins-typed-array.cc
index 8c913c301d..ac1b23c8d3 100644
--- a/deps/v8/src/builtins/builtins-typed-array.cc
+++ b/deps/v8/src/builtins/builtins-typed-array.cc
@@ -27,21 +27,18 @@ BUILTIN(TypedArrayPrototypeBuffer) {
 namespace {
 
 int64_t CapRelativeIndex(Handle<Object> num, int64_t minimum, int64_t maximum) {
-  int64_t relative;
   if (V8_LIKELY(num->IsSmi())) {
-    relative = Smi::ToInt(*num);
+    int64_t relative = Smi::ToInt(*num);
+    return relative < 0 ? std::max<int64_t>(relative + maximum, minimum)
+                        : std::min<int64_t>(relative, maximum);
   } else {
     DCHECK(num->IsHeapNumber());
-    double fp = HeapNumber::cast(*num)->value();
-    if (V8_UNLIKELY(!std::isfinite(fp))) {
-      // +Infinity / -Infinity
-      DCHECK(!std::isnan(fp));
-      return fp < 0 ? minimum : maximum;
-    }
-    relative = static_cast<int64_t>(fp);
+    double relative = HeapNumber::cast(*num)->value();
+    DCHECK(!std::isnan(relative));
+    return static_cast<int64_t>(
+        relative < 0 ? std::max<double>(relative + maximum, minimum)
+                     : std::min<double>(relative, maximum));
   }
-  return relative < 0 ? std::max<int64_t>(relative + maximum, minimum)
-                      : std::min<int64_t>(relative, maximum);
 }
 
 }  // namespace