diff options
author | Joyee Cheung <joyee@igalia.com> | 2023-02-14 00:58:04 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-03-24 14:07:23 +0000 |
commit | 0d63fc949d16f3e37ed7ab43d335b9d81cc6fdf7 (patch) | |
tree | 21f9b943d55785b5fc7317db76bf2b1dea066060 /chromium/third_party/dav1d | |
parent | a0c7fae43ffc4eb8da280e20bdf5c849df251130 (diff) | |
download | qtwebengine-chromium-0d63fc949d16f3e37ed7ab43d335b9d81cc6fdf7.tar.gz |
[Backport] Security bug 1415249
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/4290868:
Merged: [ic] store slow stubs for objects with access checks in DefineNamedIC
The CheckIfCanDefine() used to check the attributes of the object
as well as reporting to access check failure callbacks can update
the lookup iterator, resulting in wrong store handlers being
installed. Restart the lookup iterator in this case to make
sure that slow handlers are installed.
Bug: chromium:1415249
(cherry picked from commit da2df213bc70437ef76f47e0ab6995fa45f8014a)
Change-Id: I92d60af7ea798d80b1115e63b7fce8e2e8026ed9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4290868
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/branch-heads/11.0@{#33}
Cr-Branched-From: 06097c6f0c5af54fd5d6965d37027efb72decd4f-refs/heads/11.0.226@{#1}
Cr-Branched-From: 6bf3344f5d9940de1ab253f1817dcb99c641c9d3-refs/heads/main@{#84857}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468618
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat (limited to 'chromium/third_party/dav1d')
0 files changed, 0 insertions, 0 deletions