diff options
| author | Simon Zünd <szuend@chromium.org> | 2019-03-06 11:09:39 +0100 |
|---|---|---|
| committer | Michal Klocek <michal.klocek@qt.io> | 2019-03-27 17:16:19 +0000 |
| commit | d720564a5baa5a1f9becec0dba8d7c471d0cbfa9 (patch) | |
| tree | 087bf5008cd7f858730886c20c140c5e072c43bf | |
| parent | 269d53ceabd846258ed38362a1c3108e2320e8af (diff) | |
| download | qtwebengine-chromium-d720564a5baa5a1f9becec0dba8d7c471d0cbfa9.tar.gz | |
[Backport] Security bug 938251
Throw OOM when allocating FixedDoubleArrays with negative length
Bug: chromium:938251
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1505312
Change-Id: Ia0ebe9ccfb313a320520a40c771146c4dd55f949
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/v8/src/heap/factory.cc | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/chromium/v8/src/heap/factory.cc b/chromium/v8/src/heap/factory.cc index a04e2e734b7..de29a67cc14 100644 --- a/chromium/v8/src/heap/factory.cc +++ b/chromium/v8/src/heap/factory.cc @@ -464,9 +464,8 @@ Handle<ObjectBoilerplateDescription> Factory::NewObjectBoilerplateDescription( Handle<FixedArrayBase> Factory::NewFixedDoubleArray(int length, PretenureFlag pretenure) { - DCHECK_LE(0, length); if (length == 0) return empty_fixed_array(); - if (length > FixedDoubleArray::kMaxLength) { + if (length < 0 || length > FixedDoubleArray::kMaxLength) { isolate()->heap()->FatalProcessOutOfMemory("invalid array length"); } int size = FixedDoubleArray::SizeFor(length); |