diff options
| author | Nico Hartmann <nicohartmann@chromium.org> | 2022-03-17 17:03:12 +0100 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-05-03 20:16:27 +0000 |
| commit | ab21000420a37d3a8223da5d61433c3997e67738 (patch) | |
| tree | 906024cb3d7bd113a3eb5e075e208173db158428 | |
| parent | bb229ddaea7a6a42ea7136fe436fb1946be5e875 (diff) | |
| download | qtwebengine-chromium-ab21000420a37d3a8223da5d61433c3997e67738.tar.gz | |
[Backport] CVE-2022-1314: Type Confusion in V8
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3541919:
Fix NumberConstant used with Word32 rep in ISel
Bug: chromium:1304658
(cherry picked from commit bbea5909c797dec7c620b9fee43d80a1420c2e08)
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I6a82603a7c5de5ae8f5a895990c1a904bbdd39b2
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#79526}
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/9.6@{#58}
Cr-Branched-From: 0b7bda016178bf438f09b3c93da572ae3663a1f7-refs/heads/9.6.180@{#1}
Cr-Branched-From: 41a5a247d9430b953e38631e88d17790306f7a4c-refs/heads/main@{#77244}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/v8/src/compiler/backend/instruction-selector.cc | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/chromium/v8/src/compiler/backend/instruction-selector.cc b/chromium/v8/src/compiler/backend/instruction-selector.cc index 6571db18015..cb3b167e2b9 100644 --- a/chromium/v8/src/compiler/backend/instruction-selector.cc +++ b/chromium/v8/src/compiler/backend/instruction-selector.cc @@ -25,6 +25,14 @@ namespace v8 { namespace internal { namespace compiler { +Smi NumberConstantToSmi(Node* node) { + DCHECK_EQ(node->opcode(), IrOpcode::kNumberConstant); + const double d = OpParameter<double>(node->op()); + Smi smi = Smi::FromInt(static_cast<int32_t>(d)); + CHECK_EQ(smi.value(), d); + return smi; +} + InstructionSelector::InstructionSelector( Zone* zone, size_t node_count, Linkage* linkage, InstructionSequence* sequence, Schedule* schedule, @@ -496,11 +504,17 @@ InstructionOperand OperandForDeopt(Isolate* isolate, OperandGenerator* g, switch (input->opcode()) { case IrOpcode::kInt32Constant: case IrOpcode::kInt64Constant: - case IrOpcode::kNumberConstant: case IrOpcode::kFloat32Constant: case IrOpcode::kFloat64Constant: case IrOpcode::kDelayedStringConstant: return g->UseImmediate(input); + case IrOpcode::kNumberConstant: + if (rep == MachineRepresentation::kWord32) { + Smi smi = NumberConstantToSmi(input); + return g->UseImmediate(static_cast<int32_t>(smi.ptr())); + } else { + return g->UseImmediate(input); + } case IrOpcode::kCompressedHeapConstant: case IrOpcode::kHeapConstant: { if (!CanBeTaggedOrCompressedPointer(rep)) { |