diff options
author | Rubin Xu <rubinxu@google.com> | 2019-08-09 18:56:42 +0100 |
---|---|---|
committer | Vasyl Gello <vasek.gello@gmail.com> | 2019-11-05 18:25:36 +0000 |
commit | f97893f129f8c9739979caaa134d9649543aa2e9 (patch) | |
tree | 58c654e9eb5f039466344881886e8418e155e23c /src/builtins/builtins-promise.cc | |
parent | daf7e4e1b47a4c554a2b64e2bfc40669f79b2476 (diff) | |
download | android_external_v8-cm-14.1.tar.gz android_external_v8-cm-14.1.tar.bz2 android_external_v8-cm-14.1.zip |
Fix OOB read in v8's Promise handlingcm-14.1
Bug: 138441919
Test: m -j proxy_resolver_v8_unittest && adb sync && adb shell \
/data/nativetest/proxy_resolver_v8_unittest/proxy_resolver_v8_unittest
Change-Id: I3d9ffb76317f94ee486fbab8712a673d807a0653
(cherry picked from commit 1d4f1378628c425b2e03a22b5ea1c27f3af7f8c3)
Diffstat (limited to 'src/builtins/builtins-promise.cc')
-rw-r--r-- | src/builtins/builtins-promise.cc | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/builtins/builtins-promise.cc b/src/builtins/builtins-promise.cc index 0d0238d2..1fb12902 100644 --- a/src/builtins/builtins-promise.cc +++ b/src/builtins/builtins-promise.cc @@ -98,6 +98,10 @@ Node* PromiseBuiltinsAssembler::NewPromiseCapability(Node* context, debug_event = TrueConstant(); } + Label if_not_constructor(this, Label::kDeferred); + GotoIf(TaggedIsSmi(constructor), &if_not_constructor); + GotoIfNot(IsConstructorMap(LoadMap(constructor)), &if_not_constructor); + Node* native_context = LoadNativeContext(context); Node* map = LoadRoot(Heap::kJSPromiseCapabilityMapRootIndex); @@ -182,6 +186,13 @@ Node* PromiseBuiltinsAssembler::NewPromiseCapability(Node* context, Unreachable(); } + Bind(&if_not_constructor); + { + Node* const message_id = SmiConstant(MessageTemplate::kNotConstructor); + CallRuntime(Runtime::kThrowTypeError, context, message_id, constructor); + Unreachable(); + } + Bind(&out); return var_result.value(); } @@ -310,6 +321,7 @@ Node* PromiseBuiltinsAssembler::SpeciesConstructor(Node* context, Node* object, // 7. If IsConstructor(S) is true, return S. Label throw_error(this); + GotoIf(TaggedIsSmi(species), &throw_error); Node* species_bitfield = LoadMapBitField(LoadMap(species)); GotoIfNot(Word32Equal(Word32And(species_bitfield, Int32Constant((1 << Map::kIsConstructor))), |