diff options
author | Jakob Kummerow <jkummerow@chromium.org> | 2020-11-25 23:09:27 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-12-09 13:43:27 +0000 |
commit | 72f67be024afbbeadab26e9c3f3f848827c85e18 (patch) | |
tree | 2983db803d3acd823de185af23be046f64496f6e | |
parent | c1cc6046fbc810daf91263b01953c359f6ad2c21 (diff) |
[Backport] CVE-2020-16042: Uninitialized Use in V8
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2561618:
[bigint] Fix possibly-uninitialized leading digit on right shift
Fixed: chromium:1151890
Change-Id: I26f5c76494a9ff3f5a141f381e1c9a543e368571
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71422}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/v8/src/objects/bigint.cc | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/chromium/v8/src/objects/bigint.cc b/chromium/v8/src/objects/bigint.cc index 4bb83a93b67..f5386cdee0b 100644 --- a/chromium/v8/src/objects/bigint.cc +++ b/chromium/v8/src/objects/bigint.cc @@ -1742,6 +1742,8 @@ Handle<BigInt> MutableBigInt::RightShiftByAbsolute(Isolate* isolate, DCHECK_LE(result_length, length); Handle<MutableBigInt> result = New(isolate, result_length).ToHandleChecked(); if (bits_shift == 0) { + // Zero out any overflow digit (see "rounding_can_overflow" above). + result->set_digit(result_length - 1, 0); for (int i = digit_shift; i < length; i++) { result->set_digit(i - digit_shift, x->digit(i)); } |