[Backport] CVE-2018-6142

Merged: Do not throw if the array is empty in Map constructor Bug: chromium:837939 Reviewed-on: https://chromium-review.googlesource.com/1034043 Change-Id: Ib7fde214c3edf7824fb38fd9a0f5bd92fc93acde Reviewed-by: Kai Koehne <kai.koehne@qt.io>
author: Michal Klocek <michal.klocek@qt.io> 2018-06-05 17:47:23 +0200
committer: Michal Klocek <michal.klocek@qt.io> 2018-06-06 10:08:29 +0000
commit: 63cc2675827254a451dc7f3d628fe0a29e086864 (patch)
tree: b357f021e566dcd4695fa124951202cfb172b05c
parent: 769be6e7ec66de81c807a1afd4335ed82b8e678d (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/chromium/v8/src/builtins/builtins-collections-gen.cc b/chromium/v8/src/builtins/builtins-collections-gen.cc
index 392040c9955..d6cbe0ecf06 100644
--- a/chromium/v8/src/builtins/builtins-collections-gen.cc
+++ b/chromium/v8/src/builtins/builtins-collections-gen.cc
@@ -186,6 +186,7 @@ void BaseCollectionsAssembler::AddConstructorEntriesFromFastJSArray(
   CSA_ASSERT(this, IntPtrGreaterThanOrEqual(length, IntPtrConstant(0)));
 
   Label exit(this), if_doubles(this), if_smiorobjects(this);
+  GotoIf(IntPtrEqual(length, IntPtrConstant(0)), &exit);
   Branch(IsFastSmiOrTaggedElementsKind(elements_kind), &if_smiorobjects,
          &if_doubles);
   BIND(&if_smiorobjects);
author	Michal Klocek <michal.klocek@qt.io>	2018-06-05 17:47:23 +0200
committer	Michal Klocek <michal.klocek@qt.io>	2018-06-06 10:08:29 +0000
commit	63cc2675827254a451dc7f3d628fe0a29e086864 (patch)
tree	b357f021e566dcd4695fa124951202cfb172b05c
parent	769be6e7ec66de81c807a1afd4335ed82b8e678d (diff)