diff options
author | Shu-yu Guo <syg@chromium.org> | 2023-06-05 16:05:52 -0700 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-06-22 20:35:45 +0000 |
commit | a41f9a742b7f00e716ebe4fdd9c5a647991d63db (patch) | |
tree | ebbac84f885e2578364c4a2cc99a7186e9855771 | |
parent | f59c618de5b929b94e4c9ddf4580d130cc4dba95 (diff) |
[Backport] CVE-2023-3216: Type Confusion in V8
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/4591495:
Check for encoding when appending in string builder
Fixed: chromium:1450114
Change-Id: I6d1a790b213d24d2737f4b268e8c35ba999f8adf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4591495
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#88091}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/487334
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/v8/src/strings/string-builder.cc | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/chromium/v8/src/strings/string-builder.cc b/chromium/v8/src/strings/string-builder.cc index cfb9a554121..7df19ca854a 100644 --- a/chromium/v8/src/strings/string-builder.cc +++ b/chromium/v8/src/strings/string-builder.cc @@ -301,12 +301,21 @@ bool IncrementalStringBuilder::CanAppendByCopy(Handle<String> string) { void IncrementalStringBuilder::AppendStringByCopy(Handle<String> string) { DCHECK(CanAppendByCopy(string)); - Handle<SeqOneByteString> part = - Handle<SeqOneByteString>::cast(current_part()); { DisallowHeapAllocation no_gc; - String::WriteToFlat(*string, part->GetChars(no_gc) + current_index_, 0, - string->length()); + if (encoding_ == String::ONE_BYTE_ENCODING) { + String::WriteToFlat( + *string, + Handle<SeqOneByteString>::cast(current_part())->GetChars(no_gc) + + current_index_, + 0, string->length()); + } else { + String::WriteToFlat( + *string, + Handle<SeqTwoByteString>::cast(current_part())->GetChars(no_gc) + + current_index_, + 0, string->length()); + } } current_index_ += string->length(); DCHECK(current_index_ <= part_length_); |