• Justin Ridgewell's avatar
    Fix two overflow cases in SourceMap VLQ decoding · 615ecdf8
    Justin Ridgewell authored
    These both have to do with extremely large numbers, so it's unlikely to cause a problem in practice. Still, correctness.
    
    First, encoding `-2147483648` in VLQ returns the value `"B"`. When decoding, we get the value `1` after reading the base64. We then check if the first bit is set (it is) to see if we should negate it, then we shift all bits right once. Now, `value` will be `0` and `negate` will be `true`. So, we'd return `-0`. Which is a bug! `-0` isn't `-2147483648`, and we've broken a round trip.
    
    Second, encoding any number with the 31st bit set, we'd return the opposite sign. Let's use `1073741824`. Encoding, we get `"ggggggC"`. When decoding, we get the value `-2147483648` after reading the base64. Notice, it's already negative (the 32nd bit is set, because the 31st was set and we shifted everything left once). We'd then check the first bit (it's not) and shift right. But we used `>>`, which does not shift the sign bit. We actually wanted `>>>`, which will. Because of that bug, we get back `-1073741824` instead of the positive `1073741824`. It's even worse if the 32nd and 31st bits are set, `-1610612736` becomes `536870912` after a round trip.
    
    I recently fixed the same two bugs in Closure Compiler: https://github.com/google/closure-compiler/commit/584418eb
    
    Change-Id: Ib6592ad50ae3764479c1a766bbb19042ee83b99d
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2018882
    Auto-Submit: Justin Ridgewell <jridgewell@google.com>
    Commit-Queue: Mathias Bynens <mathias@chromium.org>
    Reviewed-by: 's avatarMathias Bynens <mathias@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#65987}
    615ecdf8
Name
Last commit
Last update
..
blink_tests Loading commit data...
cfi Loading commit data...
clusterfuzz Loading commit data...
debug_helper Loading commit data...
dev Loading commit data...
gcmole Loading commit data...
generate_shim_headers Loading commit data...
heap-stats Loading commit data...
ignition Loading commit data...
jsfunfuzz Loading commit data...
link_clicker.extension Loading commit data...
mb Loading commit data...
memory Loading commit data...
msan Loading commit data...
ninja Loading commit data...
node Loading commit data...
perf Loading commit data...
profview Loading commit data...
profviz Loading commit data...
release Loading commit data...
sanitizers Loading commit data...
snapshot Loading commit data...
sodium Loading commit data...
testrunner Loading commit data...
toolchain Loading commit data...
torque Loading commit data...
tracing/proto-converter Loading commit data...
turbolizer Loading commit data...
ubsan Loading commit data...
unittests Loading commit data...
v8.xcodeproj Loading commit data...
valgrind/asan Loading commit data...
vim Loading commit data...
visual_studio Loading commit data...
wasm Loading commit data...
wasm-compilation-hints Loading commit data...
BUILD.gn Loading commit data...
DEPS Loading commit data...
Makefile.tags Loading commit data...
OWNERS Loading commit data...
PRESUBMIT.py Loading commit data...
SourceMap.js Loading commit data...
__init__.py Loading commit data...
adb-d8.py Loading commit data...
android-build.sh Loading commit data...
android-ll-prof.sh Loading commit data...
android-run.py Loading commit data...
android-sync.sh Loading commit data...
arguments.js Loading commit data...
avg.py Loading commit data...
bash-completion.sh Loading commit data...
bigint-tester.py Loading commit data...
callstats.html Loading commit data...
callstats.py Loading commit data...
callstats.py.vpython Loading commit data...
callstats_groups.py Loading commit data...
check-inline-includes.sh Loading commit data...
check-static-initializers.sh Loading commit data...
check-unused-bailouts.sh Loading commit data...
check-unused-symbols.sh Loading commit data...
codemap.js Loading commit data...
collect_deprecation_stats.sh Loading commit data...
compare-table-gen.js Loading commit data...
compare_torque_output.py Loading commit data...
consarray.js Loading commit data...
cpu.sh Loading commit data...
cross_build_gcc.sh Loading commit data...
csvparser.js Loading commit data...
deprecation_stats.py Loading commit data...
detect-builtins.js Loading commit data...
disasm.py Loading commit data...
draw_instruction_graph.sh Loading commit data...
dump-cpp.py Loading commit data...
dumpcpp-driver.js Loading commit data...
dumpcpp.js Loading commit data...
eval_gc_nvp.py Loading commit data...
eval_gc_time.sh Loading commit data...
find-commit-for-patch.py Loading commit data...
find_depot_tools.py Loading commit data...
freebsd-tick-processor Loading commit data...
fuzz-harness.sh Loading commit data...
gc-nvp-to-csv.py Loading commit data...
gc-nvp-trace-processor.py Loading commit data...
gc_nvp_common.py Loading commit data...
gdb-v8-support.py Loading commit data...
gdbinit Loading commit data...
gen-inlining-tests.py Loading commit data...
gen-keywords-gen-h.py Loading commit data...
gen-postmortem-metadata.py Loading commit data...
generate-builtins-tests.py Loading commit data...
generate-header-include-checks.py Loading commit data...
generate-runtime-call-stats.py Loading commit data...
generate-ten-powers.scm Loading commit data...
get_landmines.py Loading commit data...
grokdump.py Loading commit data...
ic-explorer.html Loading commit data...
ic-processor Loading commit data...
ic-processor-driver.js Loading commit data...
ic-processor.js Loading commit data...
inspect-d8.js Loading commit data...
linux-tick-processor Loading commit data...
ll_prof.py Loading commit data...
lldb_commands.py Loading commit data...
locs.py Loading commit data...
logreader.js Loading commit data...
mac-nm Loading commit data...
mac-tick-processor Loading commit data...
map-processor Loading commit data...
map-processor-driver.js Loading commit data...
map-processor.html Loading commit data...
map-processor.js Loading commit data...
objdump-v8 Loading commit data...
parse-processor Loading commit data...
parse-processor-driver.js Loading commit data...
parse-processor.html Loading commit data...
parse-processor.js Loading commit data...
perf-compare.py Loading commit data...
plot-timer-events Loading commit data...
predictable_wrapper.py Loading commit data...
profile.js Loading commit data...
profile_view.js Loading commit data...
regexp-sequences.py Loading commit data...
run-clang-tidy.py Loading commit data...
run-llprof.sh Loading commit data...
run-num-fuzzer.py Loading commit data...
run-perf.sh Loading commit data...
run-tests.py Loading commit data...
run-wasm-api-tests.py Loading commit data...
run.py Loading commit data...
run_perf.py Loading commit data...
shell-utils.h Loading commit data...
splaytree.js Loading commit data...
stats-viewer.py Loading commit data...
test262-results-parser.js Loading commit data...
tick-processor.html Loading commit data...
tickprocessor-driver.js Loading commit data...
tickprocessor.js Loading commit data...
trace-maps-processor.py Loading commit data...
try_perf.py Loading commit data...
turbolizer-perf.py Loading commit data...
update-object-macros-undef.py Loading commit data...
v8_presubmit.py Loading commit data...
v8heapconst.py Loading commit data...
whitespace.txt Loading commit data...
windbg.js Loading commit data...
windows-tick-processor.bat Loading commit data...