summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDeepti Gandluri <gdeepti@chromium.org>2021-01-27 22:19:44 -0800
committerMichael BrĂ¼ning <michael.bruning@qt.io>2021-04-06 08:55:49 +0000
commitba310eea830a7286fecf70f6daf4ac25c56c17d4 (patch)
tree8184e9b254553e186a2141f278b0218bf8d12452
parentbdb7d20273f458bc56a4ae72dfe9e5b0d3ed4651 (diff)
[Backport] CVE-2021-21148: Heap buffer overflow in V8
Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/2674169: [Merged ][wasm] PostMessage of Memory.buffer should throw PostMessage of an ArrayBuffer that is not detachable should result in a DataCloneError. TBR=gdeepti@chromium.org (cherry picked from commit dfcf1e86fac0a7b067caf8fdfc13eaf3e3f445e4) Bug: chromium:1170176, chromium:961059 No-Try: true No-Presubmit: true No-Tree-Checks: true Change-Id: Ife852df032841b7001375acd5e101d614c4b0771 Reviewed-by: Zhi An Ng <zhin@chromium.org> Commit-Queue: Zhi An Ng <zhin@chromium.org> Cr-Commit-Position: refs/branch-heads/8.8@{#30} Cr-Branched-From: 2dbcdc105b963ee2501c82139eef7e0603977ff0-refs/heads/8.8.278@{#1} Cr-Branched-From: 366d30c99049b3f1c673f8a93deb9f879d0fa9f0-refs/heads/master@{#71094} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat
-rw-r--r--chromium/v8/src/messages.h2
-rw-r--r--chromium/v8/src/value-serializer.cc6
2 files changed, 8 insertions, 0 deletions
diff --git a/chromium/v8/src/messages.h b/chromium/v8/src/messages.h
index 1d1a07d7b69..210a7ac4f6a 100644
--- a/chromium/v8/src/messages.h
+++ b/chromium/v8/src/messages.h
@@ -751,6 +751,8 @@ class ErrorUtils : public AllStatic {
T(DataCloneErrorOutOfMemory, "Data cannot be cloned, out of memory.") \
T(DataCloneErrorNeuteredArrayBuffer, \
"An ArrayBuffer is neutered and could not be cloned.") \
+ T(DataCloneErrorNonNeuterableArrayBuffer, \
+ "ArrayBuffer is not neuterable and could not be cloned.") \
T(DataCloneErrorSharedArrayBufferTransferred, \
"A SharedArrayBuffer could not be cloned. SharedArrayBuffer must not be " \
"transferred.") \
diff --git a/chromium/v8/src/value-serializer.cc b/chromium/v8/src/value-serializer.cc
index 47c63e12aa7..8eb6dce4bfe 100644
--- a/chromium/v8/src/value-serializer.cc
+++ b/chromium/v8/src/value-serializer.cc
@@ -824,6 +824,12 @@ Maybe<bool> ValueSerializer::WriteJSArrayBuffer(
return ThrowIfOutOfMemory();
}
+ if (!array_buffer->is_neuterable()) {
+ ThrowDataCloneError(
+ MessageTemplate::kDataCloneErrorNonNeuterableArrayBuffer);
+ return Nothing<bool>();
+ }
+
uint32_t* transfer_entry = array_buffer_transfer_map_.Find(array_buffer);
if (transfer_entry) {
WriteTag(SerializationTag::kArrayBufferTransfer);
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-25 13:38:47 +0000