[Backport] CVE-2020-16042: Uninitialized Use in V8

Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/2561618: [bigint] Fix possibly-uninitialized leading digit on right shift Fixed: chromium:1151890 Change-Id: I26f5c76494a9ff3f5a141f381e1c9a543e368571 Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#71422} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Jakob Kummerow <jkummerow@chromium.org> 2020-11-25 23:09:27 +0100
committer: Michael Brüning <michael.bruning@qt.io> 2020-12-09 13:43:27 +0000
commit: 72f67be024afbbeadab26e9c3f3f848827c85e18 (patch)
tree: 2983db803d3acd823de185af23be046f64496f6e
parent: c1cc6046fbc810daf91263b01953c359f6ad2c21 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/chromium/v8/src/objects/bigint.cc b/chromium/v8/src/objects/bigint.cc
index 4bb83a93b67..f5386cdee0b 100644
--- a/chromium/v8/src/objects/bigint.cc
+++ b/chromium/v8/src/objects/bigint.cc
@@ -1742,6 +1742,8 @@ Handle<BigInt> MutableBigInt::RightShiftByAbsolute(Isolate* isolate,
   DCHECK_LE(result_length, length);
   Handle<MutableBigInt> result = New(isolate, result_length).ToHandleChecked();
   if (bits_shift == 0) {
+    // Zero out any overflow digit (see "rounding_can_overflow" above).
+    result->set_digit(result_length - 1, 0);
     for (int i = digit_shift; i < length; i++) {
       result->set_digit(i - digit_shift, x->digit(i));
     }
author	Jakob Kummerow <jkummerow@chromium.org>	2020-11-25 23:09:27 +0100
committer	Michael Brüning <michael.bruning@qt.io>	2020-12-09 13:43:27 +0000
commit	72f67be024afbbeadab26e9c3f3f848827c85e18 (patch)
tree	2983db803d3acd823de185af23be046f64496f6e
parent	c1cc6046fbc810daf91263b01953c359f6ad2c21 (diff)