Skip to content

Commit d3de703

Browse files
DadaIsCrazymibrunin
DadaIsCrazy
authored and
mibrunin
committed
[Backport] CVE-2024-3159: Out of bounds memory access in V8
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/5401859: Merged: [runtime] Recreate enum cache on map update if any previous map had one If any previous map in the transition tree had an enum cache, then we recreate one when updating the map. Bug: 330760873 (cherry picked from commit 807cf7d0b7d96212c98ed2119e07f9b2c6a23f61) Change-Id: Ia9ea4cf17fef60166a0c037318eb539866aac37a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5401859 Reviewed-by: Igor Sheludko <[email protected]> Commit-Queue: Igor Sheludko <[email protected]> Auto-Submit: Darius Mercadier <[email protected]> Cr-Commit-Position: refs/branch-heads/12.2@{#52} Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1} Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554649 Reviewed-by: Michal Klocek <[email protected]>
1 parent a66bb24 commit d3de703

File tree

1 file changed

+10
-3
lines changed

1 file changed

+10
-3
lines changed

chromium/v8/src/objects/map-updater.cc

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1036,14 +1036,21 @@ MapUpdater::State MapUpdater::ConstructNewMap() {
10361036
Handle<Map> new_map =
10371037
Map::AddMissingTransitions(isolate_, split_map, new_descriptors);
10381038

1039+
bool had_any_enum_cache =
1040+
split_map->instance_descriptors(isolate_)
1041+
->enum_cache()
1042+
->keys()
1043+
->length() > 0 ||
1044+
old_descriptors_->enum_cache()->keys()->length() > 0;
1045+
10391046
// Deprecated part of the transition tree is no longer reachable, so replace
10401047
// current instance descriptors in the "survived" part of the tree with
10411048
// the new descriptors to maintain descriptors sharing invariant.
10421049
split_map->ReplaceDescriptors(isolate_, *new_descriptors);
10431050

1044-
// If the old descriptors had an enum cache, make sure the new ones do too.
1045-
if (old_descriptors_->enum_cache()->keys()->length() > 0 &&
1046-
new_map->NumberOfEnumerableProperties() > 0) {
1051+
// If the old descriptors had an enum cache (or if {split_map}'s descriptors
1052+
// had one), make sure the new ones do too.
1053+
if (had_any_enum_cache && new_map->NumberOfEnumerableProperties() > 0) {
10471054
FastKeyAccumulator::InitializeFastPropertyEnumCache(
10481055
isolate_, new_map, new_map->NumberOfEnumerableProperties());
10491056
}

0 commit comments

Comments
 (0)