deps: patch V8 to 7.0.276.35

Refs: https://github.com/v8/v8/compare/7.0.276.32...7.0.276.35

PR-URL: https://github.com/nodejs/node/pull/24056
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>

1 files changed, 11 insertions, 1 deletions

diff --git a/deps/v8/src/runtime/runtime-array.cc b/deps/v8/src/runtime/runtime-array.cc
index 31b03f6bb7..d72159b0ac 100644
--- a/deps/v8/src/runtime/runtime-array.cc
+++ b/deps/v8/src/runtime/runtime-array.cc
@@ -145,7 +145,15 @@ Object* RemoveArrayHolesGeneric(Isolate* isolate, Handle<JSReceiver> receiver,
     MAYBE_RETURN(delete_result, ReadOnlyRoots(isolate).exception());
   }
 
-  return *isolate->factory()->NewNumberFromUint(result);
+  // TODO(jgruber, szuend, chromium:897512): This is a workaround to prevent
+  // returning a number greater than array.length to Array.p.sort, which could
+  // trigger OOB accesses. There is still a correctness bug here though in
+  // how we shift around undefineds and delete elements in the two blocks above.
+  // This needs to be fixed soon.
+  const uint32_t number_of_non_undefined_elements = std::min(limit, result);
+
+  return *isolate->factory()->NewNumberFromUint(
+      number_of_non_undefined_elements);
 }
 
 // Collects all defined (non-hole) and non-undefined (array) elements at the
@@ -162,6 +170,7 @@ Object* RemoveArrayHoles(Isolate* isolate, Handle<JSReceiver> receiver,
   Handle<JSObject> object = Handle<JSObject>::cast(receiver);
   if (object->HasStringWrapperElements()) {
     int len = String::cast(Handle<JSValue>::cast(object)->value())->length();
+    DCHECK_LE(len, limit);
     return Smi::FromInt(len);
   }
 
@@ -284,6 +293,7 @@ Object* RemoveArrayHoles(Isolate* isolate, Handle<JSReceiver> receiver,
     }
   }
 
+  DCHECK_LE(result, limit);
   return *isolate->factory()->NewNumberFromUint(result);
 }