diff options
author | Brendon Tiszka <btiszka@gmail.com> | 2022-03-18 01:32:54 -0400 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-05-19 15:10:22 +0000 |
commit | 030f87fcb7fded31e7b845513ad88bbf93255ec3 (patch) | |
tree | 52c1e28681f8df348d0f9823d3f84b5e58f0d147 /chromium | |
parent | 19fe7536da19e809634fcf92ad72ffa27f905b0e (diff) |
[Backport] CVE-2022-1310: Use after free in regular expressions
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3548819:
Update write barrier when storing HeapNumber to last index.
(cherry picked from commit bdc4f54a50293507d9ef51573bab537883560cc8)
Bug: chromium:1307610
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I60aaa0e58e13b705b5eff4b57411a0ad4a2e9b3f
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#79538}
Reviewed-by: Artem Sumaneev <asumaneev@google.com>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/9.6@{#64}
Cr-Branched-From: 0b7bda016178bf438f09b3c93da572ae3663a1f7-refs/heads/9.6.180@{#1}
Cr-Branched-From: 41a5a247d9430b953e38631e88d17790306f7a4c-refs/heads/main@{#77244}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat (limited to 'chromium')
-rw-r--r-- | chromium/v8/src/regexp/regexp-utils.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/chromium/v8/src/regexp/regexp-utils.cc b/chromium/v8/src/regexp/regexp-utils.cc index 556edbdac88..d099fd4209d 100644 --- a/chromium/v8/src/regexp/regexp-utils.cc +++ b/chromium/v8/src/regexp/regexp-utils.cc @@ -49,7 +49,8 @@ MaybeHandle<Object> RegExpUtils::SetLastIndex(Isolate* isolate, Handle<Object> value_as_object = isolate->factory()->NewNumberFromInt64(value); if (HasInitialRegExpMap(isolate, *recv)) { - JSRegExp::cast(*recv).set_last_index(*value_as_object, SKIP_WRITE_BARRIER); + JSRegExp::cast(*recv).set_last_index(*value_as_object, + UPDATE_WRITE_BARRIER); return recv; } else { return Object::SetProperty( |