From e95d8df0220989fcce48317b6bd0d622f226f74c Mon Sep 17 00:00:00 2001
From: Nico Hartmann <nicohartmann@chromium.org>
Date: Tue, 3 Dec 2019 15:52:17 +0100
Subject: [Backport] CVE-2020-6415 - Inappropriate implementation in JavaScript
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/1948711:
[Turbofan] Fixes crash on missing BigInt.asUintN argument

Bug: chromium:1029576
Change-Id: I4645b9688fecccdf31b428f27ca0f4361c265a3b
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
---
 chromium/v8/src/compiler/js-call-reducer.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chromium/v8/src/compiler/js-call-reducer.cc b/chromium/v8/src/compiler/js-call-reducer.cc
index 522a04585b1..c715a93aa12 100644
--- a/chromium/v8/src/compiler/js-call-reducer.cc
+++ b/chromium/v8/src/compiler/js-call-reducer.cc
@@ -7261,7 +7261,7 @@ Reduction JSCallReducer::ReduceBigIntAsUintN(Node* node) {
   if (p.speculation_mode() == SpeculationMode::kDisallowSpeculation) {
     return NoChange();
   }
-  if (node->op()->ValueInputCount() < 3) {
+  if (node->op()->ValueInputCount() < 4) {
     return NoChange();
   }
 
-- 
cgit v1.2.1