diff options
| author | Michael Starzinger <mstarzinger@google.com> | 2019-02-15 10:53:51 +0100 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-12-02 18:25:10 +0000 |
| commit | c51cc20f9708f84ef57985dfde03635dd394a9fa (patch) | |
| tree | bbaef7146a4757cdfb5250beaaa09aad62409f9e | |
| parent | 826925df7041dea79b98e270f3244d61ec61d9d0 (diff) | |
| download | qtwebengine-chromium-c51cc20f9708f84ef57985dfde03635dd394a9fa.tar.gz | |
[Backport] Security Bug 924905
[wasm][arm] Fix {Word32Shr} instruction selection.
This fixes a corner case with the matching for a {UBFX} instruction.
According to the ISA reference "UBFX Rd, Rn, #lsb, #width" is only valid
for "#width" in the [1;32-#lsb] range. Specifically a "#width" of 0 is
invalid but was not checked against by the instruction selector.
BUG=chromium:924905
Change-Id: I76f2cc7090111427807730a6e0d188b9647e0a1c
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/v8/src/compiler/arm/instruction-selector-arm.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/chromium/v8/src/compiler/arm/instruction-selector-arm.cc b/chromium/v8/src/compiler/arm/instruction-selector-arm.cc index 5279d1eec1e..9f3ee4636a5 100644 --- a/chromium/v8/src/compiler/arm/instruction-selector-arm.cc +++ b/chromium/v8/src/compiler/arm/instruction-selector-arm.cc @@ -725,6 +725,7 @@ void EmitBic(InstructionSelector* selector, Node* node, Node* left, void EmitUbfx(InstructionSelector* selector, Node* node, Node* left, uint32_t lsb, uint32_t width) { + DCHECK_LE(lsb, 31u); DCHECK_LE(1u, width); DCHECK_LE(width, 32u - lsb); ArmOperandGenerator g(selector); @@ -917,7 +918,7 @@ void InstructionSelector::VisitWord32Shr(Node* node) { uint32_t value = (mleft.right().Value() >> lsb) << lsb; uint32_t width = base::bits::CountPopulation32(value); uint32_t msb = base::bits::CountLeadingZeros32(value); - if (msb + width + lsb == 32) { + if ((width != 0) && (msb + width + lsb == 32)) { DCHECK_EQ(lsb, base::bits::CountTrailingZeros32(value)); return EmitUbfx(this, node, mleft.left().node(), lsb, width); } |