diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-06-13 14:09:18 +0200 |
---|---|---|
committer | Alexandru Croitor <alexandru.croitor@qt.io> | 2017-07-07 09:15:52 +0000 |
commit | f462acffbcfdb4dcc6cc96a45510b5b90c1f7df9 (patch) | |
tree | a600c7a65958ffa52230c087c1f0bc6d1f77ea47 | |
parent | a8e8840888aa122155bc598ba02b62f59f9b37ff (diff) |
[Backport] Fix for CVE-2017-5071
Add missing early-bailouts in ast traversal visitors
Instructions after an unconditional jump can be omitted.
BUG=chromium:715582
R=bradnelson@chromium.org,verwaest@chromium.org
TBR=bradnelson@chromium.org
Change-Id: Ie1443a6ff2cf907b90275f806946d081cc533568
Reviewed-on: https://chromium-review.googlesource.com/487983
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/v8/src/ast/ast-numbering.cc | 1 | ||||
-rw-r--r-- | chromium/v8/src/wasm/asm-wasm-builder.cc | 2 |
2 files changed, 2 insertions, 1 deletions
diff --git a/chromium/v8/src/ast/ast-numbering.cc b/chromium/v8/src/ast/ast-numbering.cc index 6c2b696a5df..ce57a2cf3c6 100644 --- a/chromium/v8/src/ast/ast-numbering.cc +++ b/chromium/v8/src/ast/ast-numbering.cc @@ -530,6 +530,7 @@ void AstNumberingVisitor::VisitStatements(ZoneList<Statement*>* statements) { if (statements == NULL) return; for (int i = 0; i < statements->length(); i++) { Visit(statements->at(i)); + if (statements->at(i)->IsJump()) break; } } diff --git a/chromium/v8/src/wasm/asm-wasm-builder.cc b/chromium/v8/src/wasm/asm-wasm-builder.cc index 30f84642f82..2c3d8858b96 100644 --- a/chromium/v8/src/wasm/asm-wasm-builder.cc +++ b/chromium/v8/src/wasm/asm-wasm-builder.cc @@ -88,7 +88,7 @@ class AsmWasmBuilderImpl : public AstVisitor { for (int i = 0; i < stmts->length(); ++i) { Statement* stmt = stmts->at(i); RECURSE(Visit(stmt)); - if (stmt->IsJump()) break; + // Not stopping when a jump statement is found. } } |