[Backport] CVE-2023-3216: Type Confusion in V8

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/4591495:
Check for encoding when appending in string builder

Fixed: chromium:1450114
Change-Id: I6d1a790b213d24d2737f4b268e8c35ba999f8adf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4591495
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#88091}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/487334
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 13 insertions, 4 deletions

diff --git a/chromium/v8/src/strings/string-builder.cc b/chromium/v8/src/strings/string-builder.cc
index cfb9a554121..7df19ca854a 100644
--- a/chromium/v8/src/strings/string-builder.cc
+++ b/chromium/v8/src/strings/string-builder.cc
@@ -301,12 +301,21 @@ bool IncrementalStringBuilder::CanAppendByCopy(Handle<String> string) {
 void IncrementalStringBuilder::AppendStringByCopy(Handle<String> string) {
   DCHECK(CanAppendByCopy(string));
 
-  Handle<SeqOneByteString> part =
-      Handle<SeqOneByteString>::cast(current_part());
   {
     DisallowHeapAllocation no_gc;
-    String::WriteToFlat(*string, part->GetChars(no_gc) + current_index_, 0,
-                        string->length());
+    if (encoding_ == String::ONE_BYTE_ENCODING) {
+      String::WriteToFlat(
+          *string,
+          Handle<SeqOneByteString>::cast(current_part())->GetChars(no_gc) +
+              current_index_,
+          0, string->length());
+    } else {
+      String::WriteToFlat(
+          *string,
+          Handle<SeqTwoByteString>::cast(current_part())->GetChars(no_gc) +
+              current_index_,
+          0, string->length());
+    }
   }
   current_index_ += string->length();
   DCHECK(current_index_ <= part_length_);