diff options
author | Michaël Zasso <targos@protonmail.com> | 2018-11-03 13:20:30 +0100 |
---|---|---|
committer | Michaël Zasso <targos@protonmail.com> | 2018-11-05 20:01:39 +0100 |
commit | 5c2d555b29d99f9d1f484fd46eff33b42ee9c11f (patch) | |
tree | 8f1c2ee1a4decda1494c6818f8a754f0b302d96b /deps/v8/src/runtime | |
parent | 7e1b178fb637abc68b1d4da1363a19db7ad02d6c (diff) | |
download | android-node-v8-5c2d555b29d99f9d1f484fd46eff33b42ee9c11f.tar.gz android-node-v8-5c2d555b29d99f9d1f484fd46eff33b42ee9c11f.tar.bz2 android-node-v8-5c2d555b29d99f9d1f484fd46eff33b42ee9c11f.zip |
deps: patch V8 to 7.0.276.35
Refs: https://github.com/v8/v8/compare/7.0.276.32...7.0.276.35
PR-URL: https://github.com/nodejs/node/pull/24056
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Diffstat (limited to 'deps/v8/src/runtime')
-rw-r--r-- | deps/v8/src/runtime/runtime-array.cc | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/deps/v8/src/runtime/runtime-array.cc b/deps/v8/src/runtime/runtime-array.cc index 31b03f6bb7..d72159b0ac 100644 --- a/deps/v8/src/runtime/runtime-array.cc +++ b/deps/v8/src/runtime/runtime-array.cc @@ -145,7 +145,15 @@ Object* RemoveArrayHolesGeneric(Isolate* isolate, Handle<JSReceiver> receiver, MAYBE_RETURN(delete_result, ReadOnlyRoots(isolate).exception()); } - return *isolate->factory()->NewNumberFromUint(result); + // TODO(jgruber, szuend, chromium:897512): This is a workaround to prevent + // returning a number greater than array.length to Array.p.sort, which could + // trigger OOB accesses. There is still a correctness bug here though in + // how we shift around undefineds and delete elements in the two blocks above. + // This needs to be fixed soon. + const uint32_t number_of_non_undefined_elements = std::min(limit, result); + + return *isolate->factory()->NewNumberFromUint( + number_of_non_undefined_elements); } // Collects all defined (non-hole) and non-undefined (array) elements at the @@ -162,6 +170,7 @@ Object* RemoveArrayHoles(Isolate* isolate, Handle<JSReceiver> receiver, Handle<JSObject> object = Handle<JSObject>::cast(receiver); if (object->HasStringWrapperElements()) { int len = String::cast(Handle<JSValue>::cast(object)->value())->length(); + DCHECK_LE(len, limit); return Smi::FromInt(len); } @@ -284,6 +293,7 @@ Object* RemoveArrayHoles(Isolate* isolate, Handle<JSReceiver> receiver, } } + DCHECK_LE(result, limit); return *isolate->factory()->NewNumberFromUint(result); } |