AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[api] Fix overflow in AdjustAmountOfExternalAllocatedMemory

Browse Source 
ClusterFuzz found another case where "weird" embedder calls can cause
signed integer overflow. This patch fixes the last addition in that
function to use unsigned types.

Bug: chromium:991676
Change-Id: Ia77a12020908de8f0a3bd1be7d3722ba5c5c919b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743971
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63349}
This commit is contained in:
Jakob Kummerow 2019-08-08 17:03:57 +02:00 committed by Commit Bot
parent 90fef305c8
commit 64c88d8698
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
include/v8.h
View File

@ -11098,9 +11098,12 @@ int64_t Isolate::AdjustAmountOfExternalAllocatedMemory(
}
if (change_in_bytes < 0) {
const int64_t lower_limit = *external_memory_limit + change_in_bytes;
if (lower_limit > I::kExternalAllocationSoftLimit)
const int64_t lower_limit =
static_cast<int64_t>(static_cast<uint64_t>(*external_memory_limit) +
static_cast<uint64_t>(change_in_bytes));
if (lower_limit > I::kExternalAllocationSoftLimit) {
*external_memory_limit = lower_limit;
}
} else if (change_in_bytes > 0 && amount > *external_memory_limit) {
ReportExternalAllocationLimitReached();
}