[value-serializer] Ensure deserialized JSRegExp flags are valid

src/value-serializer.cc

Index: src/value-serializer.cc
diff --git a/src/value-serializer.cc b/src/value-serializer.cc
index caedf9f0bc87c5fd13e1c143a5b2e9dc3c4f8afa..2ba06c170b3ef17bba554d6ef94a3fb699e019a0 100644
--- a/src/value-serializer.cc
+++ b/src/value-serializer.cc
@@ -1463,11 +1463,22 @@ MaybeHandle<JSRegExp> ValueDeserializer::ReadJSRegExp() {
   uint32_t raw_flags;
   Handle<JSRegExp> regexp;
   if (!ReadString().ToHandle(&pattern) ||
-      !ReadVarint<uint32_t>().To(&raw_flags) ||
+      !ReadVarint<uint32_t>().To(&raw_flags)) {
+    return MaybeHandle<JSRegExp>();
+  }
+
+  // Ensure the deserialized flags are valid. The context behind this is that
+  // the JSRegExp::Flags enum statically includes kDotAll, but it is only valid
+  // to set kDotAll if FLAG_harmony_regexp_dotall is enabled. Fuzzers don't
+  // know about this and happily set kDotAll anyways, leading to CHECK failures
+  // later on.
+  uint32_t flags_mask = static_cast<uint32_t>(-1) << JSRegExp::FlagCount();
+  if ((raw_flags & flags_mask) ||
       !JSRegExp::New(pattern, static_cast<JSRegExp::Flags>(raw_flags))
            .ToHandle(&regexp)) {
     return MaybeHandle<JSRegExp>();
   }
+
   AddObjectWithID(id, regexp);
   return regexp;
 }