Files · 540419b660ae8da1d24767be5b95fc0421680580 · Linshizhi / V8

[value-serializer] Verify deserialized JSRegExp flags · 540419b6

jgruber authored May 10, 2017

One of the serializer fuzzers passes in random data to the deserializer,
which can then be used to deserialize a JSRegExp instance with random flag
contents. This can cause issues since the JSRegExp::Flag enum statically
contains kDotAll - but it is only valid to set kDotAll iff
FLAG_harmony_regexp_dotall is set.

This CL verifies deserialized flags before constructing the JSRegExp
and bails out if they are invalid.

R=jbroman@chromium.org,yangguo@chromium.org
BUG=chromium:719280

Review-Url: https://codereview.chromium.org/2870743004
Cr-Commit-Position: refs/heads/master@{#45222}

540419b6

Name	Last commit	Last update
benchmarks		Loading commit data...
build_overrides		Loading commit data...
docs		Loading commit data...
gni		Loading commit data...
gypfiles		Loading commit data...
include		Loading commit data...
infra		Loading commit data...
samples		Loading commit data...
src		Loading commit data...
test		Loading commit data...
testing		Loading commit data...
third_party		Loading commit data...
tools		Loading commit data...
.clang-format		Loading commit data...
.gitignore		Loading commit data...
.gn		Loading commit data...
.ycm_extra_conf.py		Loading commit data...
AUTHORS		Loading commit data...
BUILD.gn		Loading commit data...
CODE_OF_CONDUCT.md		Loading commit data...
ChangeLog		Loading commit data...
DEPS		Loading commit data...
LICENSE		Loading commit data...
LICENSE.fdlibm		Loading commit data...
LICENSE.strongtalk		Loading commit data...
LICENSE.v8		Loading commit data...
LICENSE.valgrind		Loading commit data...
Makefile		Loading commit data...
Makefile.android		Loading commit data...
OWNERS		Loading commit data...
PRESUBMIT.py		Loading commit data...
README.md		Loading commit data...
WATCHLISTS		Loading commit data...
codereview.settings		Loading commit data...
snapshot_toolchain.gni		Loading commit data...

README.md