summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAllan Sandfeld Jensen <allan.jensen@qt.io>2017-06-13 14:09:18 +0200
committerAlexandru Croitor <alexandru.croitor@qt.io>2017-07-07 09:15:52 +0000
commitf462acffbcfdb4dcc6cc96a45510b5b90c1f7df9 (patch)
treea600c7a65958ffa52230c087c1f0bc6d1f77ea47
parenta8e8840888aa122155bc598ba02b62f59f9b37ff (diff)
[Backport] Fix for CVE-2017-5071
Add missing early-bailouts in ast traversal visitors Instructions after an unconditional jump can be omitted. BUG=chromium:715582 R=bradnelson@chromium.org,verwaest@chromium.org TBR=bradnelson@chromium.org Change-Id: Ie1443a6ff2cf907b90275f806946d081cc533568 Reviewed-on: https://chromium-review.googlesource.com/487983 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat
-rw-r--r--chromium/v8/src/ast/ast-numbering.cc1
-rw-r--r--chromium/v8/src/wasm/asm-wasm-builder.cc2
2 files changed, 2 insertions, 1 deletions
diff --git a/chromium/v8/src/ast/ast-numbering.cc b/chromium/v8/src/ast/ast-numbering.cc
index 6c2b696a5df..ce57a2cf3c6 100644
--- a/chromium/v8/src/ast/ast-numbering.cc
+++ b/chromium/v8/src/ast/ast-numbering.cc
@@ -530,6 +530,7 @@ void AstNumberingVisitor::VisitStatements(ZoneList<Statement*>* statements) {
if (statements == NULL) return;
for (int i = 0; i < statements->length(); i++) {
Visit(statements->at(i));
+ if (statements->at(i)->IsJump()) break;
}
}
diff --git a/chromium/v8/src/wasm/asm-wasm-builder.cc b/chromium/v8/src/wasm/asm-wasm-builder.cc
index 30f84642f82..2c3d8858b96 100644
--- a/chromium/v8/src/wasm/asm-wasm-builder.cc
+++ b/chromium/v8/src/wasm/asm-wasm-builder.cc
@@ -88,7 +88,7 @@ class AsmWasmBuilderImpl : public AstVisitor {
for (int i = 0; i < stmts->length(); ++i) {
Statement* stmt = stmts->at(i);
RECURSE(Visit(stmt));
- if (stmt->IsJump()) break;
+ // Not stopping when a jump statement is found.
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-27 07:27:22 +0000