[Backport] CVE-2022-1310: Use after free in regular expressions

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3548819:
Update write barrier when storing HeapNumber to last index.

(cherry picked from commit bdc4f54a50293507d9ef51573bab537883560cc8)

Bug: chromium:1307610
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I60aaa0e58e13b705b5eff4b57411a0ad4a2e9b3f
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#79538}
Reviewed-by: Artem Sumaneev <asumaneev@google.com>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/9.6@{#64}
Cr-Branched-From: 0b7bda016178bf438f09b3c93da572ae3663a1f7-refs/heads/9.6.180@{#1}
Cr-Branched-From: 41a5a247d9430b953e38631e88d17790306f7a4c-refs/heads/main@{#77244}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 2 insertions, 1 deletions

diff --git a/chromium/v8/src/regexp/regexp-utils.cc b/chromium/v8/src/regexp/regexp-utils.cc
index 556edbdac88..d099fd4209d 100644
--- a/chromium/v8/src/regexp/regexp-utils.cc
+++ b/chromium/v8/src/regexp/regexp-utils.cc
@@ -49,7 +49,8 @@ MaybeHandle<Object> RegExpUtils::SetLastIndex(Isolate* isolate,
   Handle<Object> value_as_object =
       isolate->factory()->NewNumberFromInt64(value);
   if (HasInitialRegExpMap(isolate, *recv)) {
-    JSRegExp::cast(*recv).set_last_index(*value_as_object, SKIP_WRITE_BARRIER);
+    JSRegExp::cast(*recv).set_last_index(*value_as_object,
+                                         UPDATE_WRITE_BARRIER);
     return recv;
   } else {
     return Object::SetProperty(