From 5b1d2144ebd47ea768ca5b3cfcda830433c88efe Mon Sep 17 00:00:00 2001

From: "T.C. Hollingsworth" <tchollingsworth@gmail.com>

Date: Thu, 21 Mar 2013 17:34:19 -0700

Subject: [PATCH] backport fix for CVE-2013-2632 from SVN r13964

---

 src/objects-inl.h | 3 ++-

 src/objects.h     | 7 +++++--

 src/parser.cc     | 4 ++--

 src/parser.h      | 5 -----

 src/stub-cache.cc | 8 ++++----

 5 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/src/objects-inl.h b/src/objects-inl.h

index ea5a93f..4834fa6 100644

--- a/src/objects-inl.h

+++ b/src/objects-inl.h

@@ -3500,8 +3500,9 @@ Code::Flags Code::ComputeFlags(Kind kind,

          kind == CALL_IC ||

          kind == STORE_IC ||

          kind == KEYED_STORE_IC);

+  ASSERT(argc <= Code::kMaxArguments);

   // Compute the bit mask.

-  int bits = KindField::encode(kind)

+  unsigned int bits = KindField::encode(kind)

       | ICStateField::encode(ic_state)

       | TypeField::encode(type)

       | ExtraICStateField::encode(extra_ic_state)

diff --git a/src/objects.h b/src/objects.h

index 755dd42..47d7757 100644

--- a/src/objects.h

+++ b/src/objects.h

@@ -4180,8 +4180,8 @@ class Code: public HeapObject {

   // FLAGS_MIN_VALUE and FLAGS_MAX_VALUE are specified to ensure that

   // enumeration type has correct value range (see Issue 830 for more details).

   enum Flags {

-    FLAGS_MIN_VALUE = kMinInt,

-    FLAGS_MAX_VALUE = kMaxInt

+    FLAGS_MIN_VALUE = 0,

+    FLAGS_MAX_VALUE = kMaxUInt32

   };

 #define CODE_KIND_LIST(V) \

@@ -4644,6 +4644,9 @@ class Code: public HeapObject {

   // Signed field cannot be encoded using the BitField class.

   static const int kArgumentsCountShift = 14;

   static const int kArgumentsCountMask = ~((1 << kArgumentsCountShift) - 1);

+  static const int kArgumentsBits =

+      PlatformSmiTagging::kSmiValueSize - Code::kArgumentsCountShift + 1;

+  static const int kMaxArguments = (1 << kArgumentsBits) - 1;

   // This constant should be encodable in an ARM instruction.

   static const int kFlagsNotUsedInLookup =

diff --git a/src/parser.cc b/src/parser.cc

index 03e4b03..6da414a 100644

--- a/src/parser.cc

+++ b/src/parser.cc

@@ -4243,7 +4243,7 @@ ZoneList<Expression*>* Parser::ParseArguments(bool* ok) {

   while (!done) {

     Expression* argument = ParseAssignmentExpression(true, CHECK_OK);

     result->Add(argument, zone());

-    if (result->length() > kMaxNumFunctionParameters) {

+    if (result->length() > Code::kMaxArguments) {

       ReportMessageAt(scanner().location(), "too_many_arguments",

                       Vector<const char*>::empty());

       *ok = false;

@@ -4420,7 +4420,7 @@ FunctionLiteral* Parser::ParseFunctionLiteral(Handle<String> function_name,

       top_scope_->DeclareParameter(param_name, VAR);

       num_parameters++;

-      if (num_parameters > kMaxNumFunctionParameters) {

+      if (num_parameters > Code::kMaxArguments) {

         ReportMessageAt(scanner().location(), "too_many_parameters",

                         Vector<const char*>::empty());

         *ok = false;

diff --git a/src/parser.h b/src/parser.h

index 93fd1b8..e36a9b3 100644

--- a/src/parser.h

+++ b/src/parser.h

@@ -449,11 +449,6 @@ class Parser {

                        Vector<Handle<String> > args);

  private:

-  // Limit on number of function parameters is chosen arbitrarily.

-  // Code::Flags uses only the low 17 bits of num-parameters to

-  // construct a hashable id, so if more than 2^17 are allowed, this

-  // should be checked.

-  static const int kMaxNumFunctionParameters = 32766;

   static const int kMaxNumFunctionLocals = 131071;  // 2^17-1

   enum Mode {

diff --git a/src/stub-cache.cc b/src/stub-cache.cc

index 4119147..8490c7e 100644

--- a/src/stub-cache.cc

+++ b/src/stub-cache.cc

@@ -617,7 +617,7 @@ Handle StubCache::ComputeCallConstant(int argc,

   Handle code =

       compiler.CompileCallConstant(object, holder, function, name, check);

   code->set_check_type(check);

-  ASSERT_EQ(flags, code->flags());

+  ASSERT(flags == code->flags());

   PROFILE(isolate_,

           CodeCreateEvent(CALL_LOGGER_TAG(kind, CALL_IC_TAG), *code, *name));

   GDBJIT(AddCode(GDBJITInterface::CALL_IC, *name, *code));

@@ -655,7 +655,7 @@ Handle StubCache::ComputeCallField(int argc,

   Handle code =

       compiler.CompileCallField(Handle<JSObject>::cast(object),

                                 holder, index, name);

-  ASSERT_EQ(flags, code->flags());

+  ASSERT(flags == code->flags());

   PROFILE(isolate_,

           CodeCreateEvent(CALL_LOGGER_TAG(kind, CALL_IC_TAG), *code, *name));

   GDBJIT(AddCode(GDBJITInterface::CALL_IC, *name, *code));

@@ -692,7 +692,7 @@ Handle StubCache::ComputeCallInterceptor(int argc,

   Handle code =

       compiler.CompileCallInterceptor(Handle<JSObject>::cast(object),

                                       holder, name);

-  ASSERT_EQ(flags, code->flags());

+  ASSERT(flags == code->flags());

   PROFILE(isolate(),

           CodeCreateEvent(CALL_LOGGER_TAG(kind, CALL_IC_TAG), *code, *name));

   GDBJIT(AddCode(GDBJITInterface::CALL_IC, *name, *code));

@@ -721,7 +721,7 @@ Handle StubCache::ComputeCallGlobal(int argc,

   CallStubCompiler compiler(isolate(), argc, kind, extra_state, cache_holder);

   Handle code =

       compiler.CompileCallGlobal(receiver, holder, cell, function, name);

-  ASSERT_EQ(flags, code->flags());

+  ASSERT(flags == code->flags());

   PROFILE(isolate(),

           CodeCreateEvent(CALL_LOGGER_TAG(kind, CALL_IC_TAG), *code, *name));

   GDBJIT(AddCode(GDBJITInterface::CALL_IC, *name, *code));

-- 

1.8.1.4