[Backport] CVE-2021-21230: Type Confusion in V8

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2835705:
Fix off-by-one error in kAdditiveSafeInteger

Bug: chromium:1198705
Change-Id: I6b3ad82754e1ca72701ce57f16c4f085f8c87f77
Auto-Submit: Georg Neis <[email protected]>
Commit-Queue: Nico Hartmann <[email protected]>
Reviewed-by: Nico Hartmann <[email protected]>
Cr-Commit-Position: refs/heads/master@{#74033}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>

Author: GeorgNeis

chromium/v8/src/compiler/type-cache.h

@@ -80,7 +80,7 @@ class V8_EXPORT_PRIVATE TypeCache final {
       Type::Union(kPositiveIntegerOrMinusZero, Type::NaN(), zone());
 
   Type const kAdditiveSafeInteger =
-      CreateRange(-4503599627370496.0, 4503599627370496.0);
+      CreateRange(-4503599627370495.0, 4503599627370495.0);
   Type const kSafeInteger = CreateRange(-kMaxSafeInteger, kMaxSafeInteger);
   Type const kAdditiveSafeIntegerOrMinusZero =
       Type::Union(kAdditiveSafeInteger, Type::MinusZero(), zone());