test · 8990399dc7c2f36ba4f566a415a0823d229dff21 · Linshizhi / V8

ValueDeserializer: Only allow valid keys when deserializing object properties. · 8990399d

jbroman authored Feb 16, 2017

The serializer won't ever write a more complex object. Not validating this
allows other things to be used as keys, and converted to string when the
property set actually occurs. It turns out this gives an opportunity to trigger
OOM by giving an object a key which is a very large sparse array (whose string
representation is very large).

This case is now rejected by the deserializer.

BUG=chromium:686511

Review-Url: https://codereview.chromium.org/2697023002
Cr-Commit-Position: refs/heads/master@{#43249}

8990399d

Name	Last commit	Last update
..
benchmarks		Loading commit data...
cctest		Loading commit data...
common		Loading commit data...
debugger		Loading commit data...
fuzzer		Loading commit data...
inspector		Loading commit data...
intl		Loading commit data...
js-perf-test		Loading commit data...
memory		Loading commit data...
message		Loading commit data...
mjsunit		Loading commit data...
mozilla		Loading commit data...
preparser		Loading commit data...
promises-aplus		Loading commit data...
test262		Loading commit data...
unittests		Loading commit data...
webkit		Loading commit data...
BUILD.gn		Loading commit data...
bot_default.gyp		Loading commit data...
bot_default.isolate		Loading commit data...
default.gyp		Loading commit data...
default.isolate		Loading commit data...
optimize_for_size.gyp		Loading commit data...
optimize_for_size.isolate		Loading commit data...
perf.gyp		Loading commit data...
perf.isolate		Loading commit data...