AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[builtins] Harden Array.prototype.concat.

Browse Source 
Defence in depth patch to prevent JavaScript from executing
from within IterateElements.

R=ishell@chromium.org
R=cbruni@chromium.org

Bug: chromium:1195977
Change-Id: Ie59d468b73b94818cea986a3ded0804f6dddd10b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2819941
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73898}
This commit is contained in:
Brendon Tiszka 2021-04-10 23:37:18 -04:00 committed by Commit Bot
parent 818dbad4f2
commit 8284359ed0
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
AUTHORS
View File

@ -69,6 +69,7 @@ Ben Newman <ben@meteor.com>
Ben Noordhuis <info@bnoordhuis.nl>
Benjamin Tan <demoneaux@gmail.com>
Bert Belder <bertbelder@gmail.com>
Brendon Tiszka <btiszka@gmail.com>
Brice Dobry <brice.dobry@futurewei.com>
Burcu Dogan <burcujdogan@gmail.com>
Caitlin Potter <caitpotter88@gmail.com>

9
src/builtins/builtins-array.cc
View File

@ -1089,6 +1089,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
case HOLEY_SEALED_ELEMENTS:
case HOLEY_NONEXTENSIBLE_ELEMENTS:
case HOLEY_ELEMENTS: {
// Disallow execution so the cached elements won't change mid execution.
DisallowJavascriptExecution no_js(isolate);
// Run through the elements FixedArray and use HasElement and GetElement
// to check the prototype for missing elements.
Handle<FixedArray> elements(FixedArray::cast(array->elements()), isolate);
@ -1115,6 +1118,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
}
case HOLEY_DOUBLE_ELEMENTS:
case PACKED_DOUBLE_ELEMENTS: {
// Disallow execution so the cached elements won't change mid execution.
DisallowJavascriptExecution no_js(isolate);
// Empty array is FixedArray but not FixedDoubleArray.
if (length == 0) break;
// Run through the elements FixedArray and use HasElement and GetElement
@ -1151,6 +1157,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
}
case DICTIONARY_ELEMENTS: {
// Disallow execution so the cached dictionary won't change mid execution.
DisallowJavascriptExecution no_js(isolate);
Handle<NumberDictionary> dict(array->element_dictionary(), isolate);
std::vector<uint32_t> indices;
indices.reserve(dict->Capacity() / 2);