• Ulan Degenbaev's avatar
    [heap] Fix an out-of-bounds access in the marking bitmap · 8e8a06fa
    Ulan Degenbaev authored
    Deserializer can trigger OOB read in the marking bitmap inside the
    RegisterDeserializedObjectsForBlackAllocation function. This happens
    for example if an internalized string is deserialized as the last object
    on a page and is the turned into a thin-string leaving a one-word filler
    at the end of the page. In such a case IsBlack(filler) will try to fetch
    a cell outside the marking bitmap.
    
    The fix is to increase the size of the marking bitmap by one cell, so
    that it is always safe to query markbits of any object on a page.
    
    Bug: chromium:978156
    Change-Id: If3c74e4f97d2caeb3c3f37a4147f38dea5f0e5a8
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2152838
    Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
    Reviewed-by: 's avatarDominik Inführ <dinfuehr@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#67223}
    8e8a06fa
marking.h 14.9 KB