diff options
| author | Michal Klocek <michal.klocek@qt.io> | 2017-01-24 16:39:18 +0100 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-04-20 07:39:02 +0000 |
| commit | af12886a6da78f1a171c8c371ba8a62a4ce23623 (patch) | |
| tree | 8204e97877a905b46ab0c22cf88ad21e99808b23 | |
| parent | 804d277cd622593141aa664744a4b64a777d8d38 (diff) | |
[Backport] CVE-2017-5012
Merged: Trigger OOM crash if no memory returned in v8::ArrayBuffer::New and v8::SharedArrayBuffe ...
Revision: ca0f957329828c61f02437f640ed8004a549018a
BUG=chromium:681843
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=jbroman@chromium.org
Change-Id: I61a0c2c5cb82646ef91ef0cc54a54178df49a7b2
Review-Url: https://codereview.chromium.org/2658433002 .
Cr-Commit-Position: refs/branch-heads/5.6@{#88}
Cr-Branched-From: bdd3886218dfe76e8560eb8a18401942452ae859-refs/heads/5.6.326@{#1}
Cr-Branched-From: 879f6599eee6e1dfcbe9a24bf688b261c03e9558-refs/heads/master@{#41014}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/v8/src/api.cc | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/chromium/v8/src/api.cc b/chromium/v8/src/api.cc index 5b55008790c..4e058ae4e5f 100644 --- a/chromium/v8/src/api.cc +++ b/chromium/v8/src/api.cc @@ -6607,7 +6607,11 @@ Local<ArrayBuffer> v8::ArrayBuffer::New(Isolate* isolate, size_t byte_length) { ENTER_V8(i_isolate); i::Handle<i::JSArrayBuffer> obj = i_isolate->factory()->NewJSArrayBuffer(i::SharedFlag::kNotShared); - i::JSArrayBuffer::SetupAllocatingData(obj, i_isolate, byte_length); + // TODO(jbroman): It may be useful in the future to provide a MaybeLocal + // version that throws an exception or otherwise does not crash. + if (!i::JSArrayBuffer::SetupAllocatingData(obj, i_isolate, byte_length)) { + i::FatalProcessOutOfMemory("v8::ArrayBuffer::New"); + } return Utils::ToLocal(obj); } @@ -6803,8 +6807,12 @@ Local<SharedArrayBuffer> v8::SharedArrayBuffer::New(Isolate* isolate, ENTER_V8(i_isolate); i::Handle<i::JSArrayBuffer> obj = i_isolate->factory()->NewJSArrayBuffer(i::SharedFlag::kShared); - i::JSArrayBuffer::SetupAllocatingData(obj, i_isolate, byte_length, true, - i::SharedFlag::kShared); + // TODO(jbroman): It may be useful in the future to provide a MaybeLocal + // version that throws an exception or otherwise does not crash. + if (!i::JSArrayBuffer::SetupAllocatingData(obj, i_isolate, byte_length, true, + i::SharedFlag::kShared)) { + i::FatalProcessOutOfMemory("v8::SharedArrayBuffer::New"); + } return Utils::ToLocalShared(obj); } |