Fix ValueDeserializer::ReadDouble() bounds check

If end_ is smaller than sizeof(double), the result would wrap around, and lead to an invalid memory access. Refs: https://github.com/nodejs/node/issues/37978 Change-Id: Ibc8ddcb0c090358789a6a02f550538f91d431c1d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2801353Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#73800}

Fix ValueDeserializer::ReadDouble() bounds check
If end_ is smaller than sizeof(double), the result would wrap around, and lead to an invalid memory access. Refs: https://github.com/nodejs/node/issues/37978 Change-Id: Ibc8ddcb0c090358789a6a02f550538f91d431c1d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2801353Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#73800}
501482cb · cjihrig · Commit Bot · ced669da · 501482cb
Commit 501482cb authored Apr 02, 2021 by cjihrig Committed by Commit Bot Apr 06, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

value-serializer.cc src/objects/value-serializer.cc +2 -1

No files found.
--- a/src/objects/value-serializer.cc
+++ b/src/objects/value-serializer.cc
@@ -1202,7 +1202,8 @@ Maybe<T> ValueDeserializer::ReadZigZag() {

 Maybe<double> ValueDeserializer::ReadDouble() {
  // Warning: this uses host endianness.
-  if (position_ > end_ - sizeof(double)) return Nothing<double>();
+  if (sizeof(double) > static_cast<unsigned>(end_ - position_))
+    return Nothing<double>();
  double value;
  base::Memcpy(&value, position_, sizeof(double));
  position_ += sizeof(double);