Fix OOB read in v8's Promise handlinglineage-15.1

Bug: 138441919
Test: m -j proxy_resolver_v8_unittest && adb sync && adb shell \
      /data/nativetest/proxy_resolver_v8_unittest/proxy_resolver_v8_unittest

Change-Id: I3d9ffb76317f94ee486fbab8712a673d807a0653
(cherry picked from commit 1d4f1378628c425b2e03a22b5ea1c27f3af7f8c3)

1 files changed, 12 insertions, 0 deletions

diff --git a/src/builtins/builtins-promise.cc b/src/builtins/builtins-promise.cc
index 0d0238d2..1fb12902 100644
--- a/src/builtins/builtins-promise.cc
+++ b/src/builtins/builtins-promise.cc
@@ -98,6 +98,10 @@ Node* PromiseBuiltinsAssembler::NewPromiseCapability(Node* context,
     debug_event = TrueConstant();
   }
 
+  Label if_not_constructor(this, Label::kDeferred);
+  GotoIf(TaggedIsSmi(constructor), &if_not_constructor);
+  GotoIfNot(IsConstructorMap(LoadMap(constructor)), &if_not_constructor);
+
   Node* native_context = LoadNativeContext(context);
 
   Node* map = LoadRoot(Heap::kJSPromiseCapabilityMapRootIndex);
@@ -182,6 +186,13 @@ Node* PromiseBuiltinsAssembler::NewPromiseCapability(Node* context,
     Unreachable();
   }
 
+  Bind(&if_not_constructor);
+  {
+    Node* const message_id = SmiConstant(MessageTemplate::kNotConstructor);
+    CallRuntime(Runtime::kThrowTypeError, context, message_id, constructor);
+    Unreachable();
+  }
+
   Bind(&out);
   return var_result.value();
 }
@@ -310,6 +321,7 @@ Node* PromiseBuiltinsAssembler::SpeciesConstructor(Node* context, Node* object,
 
   // 7. If IsConstructor(S) is true, return S.
   Label throw_error(this);
+  GotoIf(TaggedIsSmi(species), &throw_error);
   Node* species_bitfield = LoadMapBitField(LoadMap(species));
   GotoIfNot(Word32Equal(Word32And(species_bitfield,
                                   Int32Constant((1 << Map::kIsConstructor))),