diff options
author | Nico Hartmann <nicohartmann@chromium.org> | 2019-12-03 15:52:17 +0100 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-10 15:48:27 +0000 |
commit | e95d8df0220989fcce48317b6bd0d622f226f74c (patch) | |
tree | d7471e8b57e18a9b13dc724a59cdd169ef27a5e9 | |
parent | 98f5d9e5b14b590b6c948fa8b2728f3e47958a7d (diff) | |
download | qtwebengine-chromium-e95d8df0220989fcce48317b6bd0d622f226f74c.tar.gz |
[Backport] CVE-2020-6415 - Inappropriate implementation in JavaScript
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/1948711:
[Turbofan] Fixes crash on missing BigInt.asUintN argument
Bug: chromium:1029576
Change-Id: I4645b9688fecccdf31b428f27ca0f4361c265a3b
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
-rw-r--r-- | chromium/v8/src/compiler/js-call-reducer.cc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/chromium/v8/src/compiler/js-call-reducer.cc b/chromium/v8/src/compiler/js-call-reducer.cc index 522a04585b1..c715a93aa12 100644 --- a/chromium/v8/src/compiler/js-call-reducer.cc +++ b/chromium/v8/src/compiler/js-call-reducer.cc @@ -7261,7 +7261,7 @@ Reduction JSCallReducer::ReduceBigIntAsUintN(Node* node) { if (p.speculation_mode() == SpeculationMode::kDisallowSpeculation) { return NoChange(); } - if (node->op()->ValueInputCount() < 3) { + if (node->op()->ValueInputCount() < 4) { return NoChange(); } |