From 64c88d86982e4a8203656267ce7cb3ee3431a6c8 Mon Sep 17 00:00:00 2001
From: Jakob Kummerow <jkummerow@chromium.org>
Date: Thu, 8 Aug 2019 17:03:57 +0200
Subject: [PATCH] [api] Fix overflow in AdjustAmountOfExternalAllocatedMemory

ClusterFuzz found another case where "weird" embedder calls can cause
signed integer overflow. This patch fixes the last addition in that
function to use unsigned types.

Bug: chromium:991676
Change-Id: Ia77a12020908de8f0a3bd1be7d3722ba5c5c919b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743971
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63349}
---
 include/v8.h | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/include/v8.h b/include/v8.h
index e3e83f95a5..8f899252f8 100644
--- a/include/v8.h
+++ b/include/v8.h
@@ -11098,9 +11098,12 @@ int64_t Isolate::AdjustAmountOfExternalAllocatedMemory(
   }
 
   if (change_in_bytes < 0) {
-    const int64_t lower_limit = *external_memory_limit + change_in_bytes;
-    if (lower_limit > I::kExternalAllocationSoftLimit)
+    const int64_t lower_limit =
+        static_cast<int64_t>(static_cast<uint64_t>(*external_memory_limit) +
+                             static_cast<uint64_t>(change_in_bytes));
+    if (lower_limit > I::kExternalAllocationSoftLimit) {
       *external_memory_limit = lower_limit;
+    }
   } else if (change_in_bytes > 0 && amount > *external_memory_limit) {
     ReportExternalAllocationLimitReached();
   }