Skip to content

Commit 0a17b90

Browse files
DadaIsCrazymibrunin
DadaIsCrazy
authored and
mibrunin
committed
[Backport] CVE-2024-3159: Out of bounds memory access in V8
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/5401859: Merged: [runtime] Recreate enum cache on map update if any previous map had one If any previous map in the transition tree had an enum cache, then we recreate one when updating the map. Bug: 330760873 (cherry picked from commit 807cf7d0b7d96212c98ed2119e07f9b2c6a23f61) Change-Id: Ia9ea4cf17fef60166a0c037318eb539866aac37a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5401859 Reviewed-by: Igor Sheludko <[email protected]> Commit-Queue: Igor Sheludko <[email protected]> Auto-Submit: Darius Mercadier <[email protected]> Cr-Commit-Position: refs/branch-heads/12.2@{#52} Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1} Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/553296 Reviewed-by: Michal Klocek <[email protected]>
1 parent 5af5e96 commit 0a17b90

File tree

1 file changed

+10
-3
lines changed

1 file changed

+10
-3
lines changed

chromium/v8/src/objects/map-updater.cc

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1038,14 +1038,21 @@ MapUpdater::State MapUpdater::ConstructNewMap() {
10381038
Handle<Map> new_map =
10391039
Map::AddMissingTransitions(isolate_, split_map, new_descriptors);
10401040

1041+
bool had_any_enum_cache =
1042+
split_map->instance_descriptors(isolate_)
1043+
->enum_cache()
1044+
->keys()
1045+
->length() > 0 ||
1046+
old_descriptors_->enum_cache()->keys()->length() > 0;
1047+
10411048
// Deprecated part of the transition tree is no longer reachable, so replace
10421049
// current instance descriptors in the "survived" part of the tree with
10431050
// the new descriptors to maintain descriptors sharing invariant.
10441051
split_map->ReplaceDescriptors(isolate_, *new_descriptors);
10451052

1046-
// If the old descriptors had an enum cache, make sure the new ones do too.
1047-
if (old_descriptors_->enum_cache()->keys()->length() > 0 &&
1048-
new_map->NumberOfEnumerableProperties() > 0) {
1053+
// If the old descriptors had an enum cache (or if {split_map}'s descriptors
1054+
// had one), make sure the new ones do too.
1055+
if (had_any_enum_cache && new_map->NumberOfEnumerableProperties() > 0) {
10491056
FastKeyAccumulator::InitializeFastPropertyEnumCache(
10501057
isolate_, new_map, new_map->NumberOfEnumerableProperties());
10511058
}

0 commit comments

Comments
 (0)