[Backport] CVE-2020-6415 - Inappropriate implementation in JavaScript

Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/1948711: [Turbofan] Fixes crash on missing BigInt.asUintN argument Bug: chromium:1029576 Change-Id: I4645b9688fecccdf31b428f27ca0f4361c265a3b Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
author: Nico Hartmann <nicohartmann@chromium.org> 2019-12-03 15:52:17 +0100
committer: Michael Brüning <michael.bruning@qt.io> 2020-03-10 15:48:27 +0000
commit: e95d8df0220989fcce48317b6bd0d622f226f74c (patch)
tree: d7471e8b57e18a9b13dc724a59cdd169ef27a5e9
parent: 98f5d9e5b14b590b6c948fa8b2728f3e47958a7d (diff)
download: qtwebengine-chromium-e95d8df0220989fcce48317b6bd0d622f226f74c.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/chromium/v8/src/compiler/js-call-reducer.cc b/chromium/v8/src/compiler/js-call-reducer.cc
index 522a04585b1..c715a93aa12 100644
--- a/chromium/v8/src/compiler/js-call-reducer.cc
+++ b/chromium/v8/src/compiler/js-call-reducer.cc
@@ -7261,7 +7261,7 @@ Reduction JSCallReducer::ReduceBigIntAsUintN(Node* node) {
   if (p.speculation_mode() == SpeculationMode::kDisallowSpeculation) {
     return NoChange();
   }
-  if (node->op()->ValueInputCount() < 3) {
+  if (node->op()->ValueInputCount() < 4) {
     return NoChange();
   }
author	Nico Hartmann <nicohartmann@chromium.org>	2019-12-03 15:52:17 +0100
committer	Michael Brüning <michael.bruning@qt.io>	2020-03-10 15:48:27 +0000
commit	e95d8df0220989fcce48317b6bd0d622f226f74c (patch)
tree	d7471e8b57e18a9b13dc724a59cdd169ef27a5e9
parent	98f5d9e5b14b590b6c948fa8b2728f3e47958a7d (diff)
download	qtwebengine-chromium-e95d8df0220989fcce48317b6bd0d622f226f74c.tar.gz