[bigint] Make deserialization of invalid data more robust

There is no -0n, and we'd therefore never serialize such a BigInt. But we can't trust serialized data to not have gotten corrupted (or be fuzzer-generated), so guard against this case when deserializing. Fixed: chromium:1359937 Change-Id: If11d9a364480bae51911cc4a0ce8a719853139fe Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904414Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#83362}

[bigint] Make deserialization of invalid data more robust
There is no -0n, and we'd therefore never serialize such a BigInt. But we can't trust serialized data to not have gotten corrupted (or be fuzzer-generated), so guard against this case when deserializing. Fixed: chromium:1359937 Change-Id: If11d9a364480bae51911cc4a0ce8a719853139fe Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904414Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#83362}
b588a3c6 · Jakob Kummerow · V8 LUCI CQ · bf35ae0d · b588a3c6 · b588a3c6
Commit b588a3c6 authored Sep 21, 2022 by Jakob Kummerow Committed by V8 LUCI CQ Sep 21, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 0 deletions

bigint.cc src/objects/bigint.cc +4 -0

value-serializer-unittest.cc test/unittests/objects/value-serializer-unittest.cc +18 -0

No files found.
--- a/src/objects/bigint.cc
+++ b/src/objects/bigint.cc
@@ -343,6 +343,8 @@ void MutableBigInt::Canonicalize(MutableBigInt result) {
  }
  DCHECK_IMPLIES(result.length() > 0,
                 result.digit(result.length() - 1) != 0);  // MSD is non-zero.
+  // Callers that don't require trimming must ensure this themselves.
+  DCHECK_IMPLIES(result.length() == 0, result.sign() == false);
 }

 template <typename IsolateT>
@@ -1379,6 +1381,8 @@ MaybeHandle<BigInt> BigInt::FromSerializedDigits(
  DCHECK(digits_storage.length() == bytelength);
  bool sign = SignBits::decode(bitfield);
  int length = (bytelength + kDigitSize - 1) / kDigitSize;  // Round up.
+  // There is no -0n. Reject corrupted serialized data.
+  if (length == 0 && sign == true) return {};
  Handle<MutableBigInt> result =
      MutableBigInt::Cast(isolate->factory()->NewBigInt(length));
  result->initialize_bitfield(sign, length);

--- a/test/unittests/objects/value-serializer-unittest.cc
+++ b/test/unittests/objects/value-serializer-unittest.cc
@@ -595,6 +595,24 @@ TEST_F(ValueSerializerTest, DecodeBigInt) {
          0x2A,        // Digit: 42
      },
      [this](Local<Value> value) { ExpectScriptTrue("result === 42n"); });
+  InvalidDecodeTest({
+      0xFF, 0x0F,  // Version 15
+      0x5A,        // BigInt
+      0x01,        // Bitfield: sign = true, bytelength = 0
+  });
+  // From a philosophical standpoint, we could reject this case as invalid as
+  // well, but it would require extra code and probably isn't worth it, so
+  // we quietly normalize this invalid input to {0n}.
+  DecodeTestFutureVersions(
+      {
+          0xFF, 0x0F,             // Version 15
+          0x5A,                   // BigInt
+          0x09,                   // Bitfield: sign = true, bytelength = 4
+          0x00, 0x00, 0x00, 0x00  // Digits.
+      },
+      [this](Local<Value> value) {
+        ExpectScriptTrue("(result | result) === 0n");
+      });
 }

 // String constants (in UTF-8) used for string encoding tests.