[deserializer] ReadVarint and ReadVarintLoop should behave the same

Make sure both the fast and slow version return the same value in case
of wrong follow-bit values in the input.

Bug: chromium:1359230, chromium:1360735
Change-Id: Ic65f81109e5bbc288fa41a5540ec7e6cece10ffc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890998
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83307}

src/objects/value-serializer.cc

@@ -1340,6 +1340,9 @@ Maybe<T> ValueDeserializer::ReadVarintLoop() {
       // Since {value} is not modified in this branch we can safely skip the
       // DCHECK when fuzzing.
       DCHECK_IMPLIES(!v8_flags.fuzzing, !has_another_byte);
+      // For consistency with the fast unrolled loop in ReadVarint we return
+      // after we have read size(T) + 1 bytes.
+      return Just(value);
     }
     position_++;
   } while (has_another_byte);

test/mjsunit/regress/regress-1359230.js

@@ -14,17 +14,24 @@ try {
 } catch(e) { }
 
 
-const str = /\dei7/sgiuy;
-const obj = {"a":str, "length":9007199254740991};
-const increment = 2061353130;
-let n = increment * 21;
-for (let i = 0; i < 52; i++) {
-  n += increment;
-  try {
-    const v9 =  d8.serializer.serialize(obj);
-    const v10 = new Uint8Array(v9);
-    v10[6] = n;
-    const v11 =  d8.serializer.deserialize(v9);
-  } catch(v12) {
+function test(length) {
+  const str = /\dei7/sgiuy;
+  const obj = {"a":str, "length":length};
+  const increment = 2061353130;
+  let n = increment * 21;
+  for (let i = 0; i < 52; i++) {
+    n += increment;
+    try {
+      const v9 =  d8.serializer.serialize(obj);
+      const v10 = new Uint8Array(v9);
+      v10[6] = n;
+      const v11 =  d8.serializer.deserialize(v9);
+    } catch(v12) {
+    }
   }
+
 }
+
+
+test(9007199254740991);
+test(0xFFFFFFFFFFFF3F43);