rpms / v8314-v8

Clone
Source Code
GIT

Blame SOURCES/v8-3.14.5.10-CVE-2014-1704-1.patch

c7
  1.   c7
  2.   SOURCES
  3.   v8-3.14.5.10-CVE-2014-1704-1.patch
Blob History Raw
e93883 
From bf973073d98660edf35e01e6984029e46eb85368 Mon Sep 17 00:00:00 2001
e93883 
From: "dslomov@chromium.org"
e93883 
 <dslomov@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
e93883 
Date: Mon, 13 Jan 2014 13:00:09 +0000
e93883 
Subject: [PATCH] Use unsigned integer arithmetic in Zone::NewExpand.
e93883
e93883 
    BUG=328202
e93883 
    R=jkummerow@chromium.org
e93883 
    LOG=N
e93883
e93883 
    Review URL: https://codereview.chromium.org/108783005
e93883
e93883 
    git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@18564 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
e93883 
---
e93883 
 src/zone.cc | 29 +++++++++++++++++++----------
e93883 
 1 file changed, 19 insertions(+), 10 deletions(-)
e93883
e93883 
diff --git a/src/zone.cc b/src/zone.cc
e93883 
index 51b8113..c12978f 100644
e93883 
--- a/src/zone.cc
e93883 
+++ b/src/zone.cc
e93883 
@@ -175,25 +175,31 @@ Address Zone::NewExpand(int size) {
e93883 
   // except that we employ a maximum segment size when we delete. This
e93883 
   // is to avoid excessive malloc() and free() overhead.
e93883 
   Segment* head = segment_head_;
e93883 
-  int old_size = (head == NULL) ? 0 : head->size();
e93883 
-  static const int kSegmentOverhead = sizeof(Segment) + kAlignment;
e93883 
-  int new_size_no_overhead = size + (old_size << 1);
e93883 
-  int new_size = kSegmentOverhead + new_size_no_overhead;
e93883 
+  const size_t old_size = (head == NULL) ? 0 : head->size();
e93883 
+  static const size_t kSegmentOverhead = sizeof(Segment) + kAlignment;
e93883 
+  const size_t new_size_no_overhead = size + (old_size << 1);
e93883 
+  size_t new_size = kSegmentOverhead + new_size_no_overhead;
e93883 
+  const size_t min_new_size = kSegmentOverhead + static_cast<size_t>(size);
e93883 
   // Guard against integer overflow.
e93883 
-  if (new_size_no_overhead < size || new_size < kSegmentOverhead) {
e93883 
+  if (new_size_no_overhead < static_cast<size_t>(size) ||
e93883 
+      new_size < static_cast<size_t>(kSegmentOverhead)) {
e93883 
     V8::FatalProcessOutOfMemory("Zone");
e93883 
     return NULL;
e93883 
   }
e93883 
-  if (new_size < kMinimumSegmentSize) {
e93883 
+  if (new_size < static_cast<size_t>(kMinimumSegmentSize)) {
e93883 
     new_size = kMinimumSegmentSize;
e93883 
-  } else if (new_size > kMaximumSegmentSize) {
e93883 
+  } else if (new_size > static_cast<size_t>(kMaximumSegmentSize)) {
e93883 
     // Limit the size of new segments to avoid growing the segment size
e93883 
     // exponentially, thus putting pressure on contiguous virtual address space.
e93883 
     // All the while making sure to allocate a segment large enough to hold the
e93883 
     // requested size.
e93883 
-    new_size = Max(kSegmentOverhead + size, kMaximumSegmentSize);
e93883 
+    new_size = Max(min_new_size, static_cast<size_t>(kMaximumSegmentSize));
e93883 
   }
e93883 
-  Segment* segment = NewSegment(new_size);
e93883 
+  if (new_size > INT_MAX) {
e93883 
+    V8::FatalProcessOutOfMemory("Zone");
e93883 
+    return NULL;
e93883 
+  }
e93883 
+  Segment* segment = NewSegment(static_cast<int>(new_size));
e93883 
   if (segment == NULL) {
e93883 
     V8::FatalProcessOutOfMemory("Zone");
e93883 
     return NULL;
e93883 
@@ -203,7 +209,10 @@ Address Zone::NewExpand(int size) {
e93883 
   Address result = RoundUp(segment->start(), kAlignment);
e93883 
   position_ = result + size;
e93883 
   // Check for address overflow.
e93883 
-  if (position_ < result) {
e93883 
+  // (Should not happen since the segment is guaranteed to accomodate
e93883 
+  // size bytes + header and alignment padding)
e93883 
+  if (reinterpret_cast<uintptr_t>(position_)
e93883 
+      < reinterpret_cast<uintptr_t>(result)) {
e93883 
     V8::FatalProcessOutOfMemory("Zone");
e93883 
     return NULL;
e93883 
   }
e93883 
--
e93883 
1.8.5.3
e93883

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation