[Backport] CVE-2020-6381 - Integer overflow in Javascript

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/1992424:

Merged: [arm] Fix constant pool hickup for huge table switch

The {cmp} instruction might add an entry to the constant pool at a time
where we didn't expect any entries to be added.
This can be fixed by moving the {CheckConstPool} call *after* the {cmp}.

TBR=​mslekova@chromium.org

(cherry picked from commit 2d89d8a92685cfa0df8724a0ae057d97ff4b2fec)

Bug: chromium:1034394
"

Change-Id: I37f46321b30220ce9823625267ef5c77c9d76860
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 2 insertions, 1 deletions

diff --git a/chromium/v8/src/compiler/backend/arm/code-generator-arm.cc b/chromium/v8/src/compiler/backend/arm/code-generator-arm.cc
index 88a9c52a333..79e9b425ebb 100644
--- a/chromium/v8/src/compiler/backend/arm/code-generator-arm.cc
+++ b/chromium/v8/src/compiler/backend/arm/code-generator-arm.cc
@@ -2970,9 +2970,10 @@ void CodeGenerator::AssembleArchTableSwitch(Instruction* instr) {
   ArmOperandConverter i(this, instr);
   Register input = i.InputRegister(0);
   size_t const case_count = instr->InputCount() - 2;
+  // This {cmp} might still emit a constant pool entry.
+  __ cmp(input, Operand(case_count));
   // Ensure to emit the constant pool first if necessary.
   __ CheckConstPool(true, true);
-  __ cmp(input, Operand(case_count));
   __ BlockConstPoolFor(case_count + 2);
   __ add(pc, pc, Operand(input, LSL, 2), LeaveCC, lo);
   __ b(GetLabel(i.InputRpo(1)));