Fix for CVE-2020-16009 (Inappropriate implementation in V8 in Google … · kiwibrowser/src@dba3e12

This repository has been archived by the owner on Jan 23, 2025. It is now read-only.

Commit

Fix for CVE-2020-16009 (Inappropriate implementation in V8 in Google …

…Chrome)

kiwibrowser authored Nov 5, 2020

1 parent 66341b7 commit dba3e12

v8/src/map-updater.cc

-Original file line number
+Diff line change
@@ Expand Up / @@ -335,7 +335,17 @@ MapUpdater::State MapUpdater::FindTargetMap() { @@
         }
         Representation tmp_representation = tmp_details.representation();
         if (!old_details.representation().fits_into(tmp_representation)) {
-          break;
+          // Try updating the field in-place to a generalized type.
+          Representation generalized =
+              tmp_representation.generalize(old_details.representation());
+          if (!tmp_representation.CanBeInPlaceChangedTo(generalized)) {
+            break;
+          }
+          Handle<Map> field_owner(tmp_map->FindFieldOwner(isolate_, i), isolate_);
+          tmp_representation = generalized;
+          GeneralizeField(field_owner, i, tmp_details.constness(),
+                          tmp_representation,
+                          handle(tmp_descriptors->GetFieldType(i), isolate_));
         }
         if (tmp_details.location() == kField) {
@@ Expand Down @@

Please sign in to comment.