| OLD | NEW |
|---|
| 1 // Copyright 2016 the V8 project authors. All rights reserved. | 1 // Copyright 2016 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/value-serializer.h" | 5 #include "src/value-serializer.h" |
| 6 | 6 |
| 7 #include <type_traits> | 7 #include <type_traits> |
| 8 | 8 |
| 9 #include "include/v8-value-serializer-version.h" | 9 #include "include/v8-value-serializer-version.h" |
| 10 #include "src/base/logging.h" | 10 #include "src/base/logging.h" |
| (...skipping 1445 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1456 AddObjectWithID(id, value); | 1456 AddObjectWithID(id, value); |
| 1457 return value; | 1457 return value; |
| 1458 } | 1458 } |
| 1459 | 1459 |
| 1460 MaybeHandle<JSRegExp> ValueDeserializer::ReadJSRegExp() { | 1460 MaybeHandle<JSRegExp> ValueDeserializer::ReadJSRegExp() { |
| 1461 uint32_t id = next_id_++; | 1461 uint32_t id = next_id_++; |
| 1462 Handle<String> pattern; | 1462 Handle<String> pattern; |
| 1463 uint32_t raw_flags; | 1463 uint32_t raw_flags; |
| 1464 Handle<JSRegExp> regexp; | 1464 Handle<JSRegExp> regexp; |
| 1465 if (!ReadString().ToHandle(&pattern) || | 1465 if (!ReadString().ToHandle(&pattern) || |
| 1466 !ReadVarint<uint32_t>().To(&raw_flags) || | 1466 !ReadVarint<uint32_t>().To(&raw_flags)) { |
| 1467 return MaybeHandle<JSRegExp>(); |
| 1468 } |
| 1469 |
| 1470 // Ensure the deserialized flags are valid. The context behind this is that |
| 1471 // the JSRegExp::Flags enum statically includes kDotAll, but it is only valid |
| 1472 // to set kDotAll if FLAG_harmony_regexp_dotall is enabled. Fuzzers don't |
| 1473 // know about this and happily set kDotAll anyways, leading to CHECK failures |
| 1474 // later on. |
| 1475 uint32_t flags_mask = static_cast<uint32_t>(-1) << JSRegExp::FlagCount(); |
| 1476 if ((raw_flags & flags_mask) || |
| 1467 !JSRegExp::New(pattern, static_cast<JSRegExp::Flags>(raw_flags)) | 1477 !JSRegExp::New(pattern, static_cast<JSRegExp::Flags>(raw_flags)) |
| 1468 .ToHandle(®exp)) { | 1478 .ToHandle(®exp)) { |
| 1469 return MaybeHandle<JSRegExp>(); | 1479 return MaybeHandle<JSRegExp>(); |
| 1470 } | 1480 } |
| 1481 |
| 1471 AddObjectWithID(id, regexp); | 1482 AddObjectWithID(id, regexp); |
| 1472 return regexp; | 1483 return regexp; |
| 1473 } | 1484 } |
| 1474 | 1485 |
| 1475 MaybeHandle<JSMap> ValueDeserializer::ReadJSMap() { | 1486 MaybeHandle<JSMap> ValueDeserializer::ReadJSMap() { |
| 1476 // If we are at the end of the stack, abort. This function may recurse. | 1487 // If we are at the end of the stack, abort. This function may recurse. |
| 1477 STACK_CHECK(isolate_, MaybeHandle<JSMap>()); | 1488 STACK_CHECK(isolate_, MaybeHandle<JSMap>()); |
| 1478 | 1489 |
| 1479 HandleScope scope(isolate_); | 1490 HandleScope scope(isolate_); |
| 1480 uint32_t id = next_id_++; | 1491 uint32_t id = next_id_++; |
| (...skipping 545 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2026 if (stack.size() != 1) { | 2037 if (stack.size() != 1) { |
| 2027 isolate_->Throw(*isolate_->factory()->NewError( | 2038 isolate_->Throw(*isolate_->factory()->NewError( |
| 2028 MessageTemplate::kDataCloneDeserializationError)); | 2039 MessageTemplate::kDataCloneDeserializationError)); |
| 2029 return MaybeHandle<Object>(); | 2040 return MaybeHandle<Object>(); |
| 2030 } | 2041 } |
| 2031 return scope.CloseAndEscape(stack[0]); | 2042 return scope.CloseAndEscape(stack[0]); |
| 2032 } | 2043 } |
| 2033 | 2044 |
| 2034 } // namespace internal | 2045 } // namespace internal |
| 2035 } // namespace v8 | 2046 } // namespace v8 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2870743004:
[value-serializer] Ensure deserialized JSRegExp flags are valid (Closed)
