Skip to content

Commit 3e5d228

Browse files
Sergei Glazunovmibrunin
Sergei Glazunov
authored and
mibrunin
committed
[Backport] CVE-2021-21156: Heap buffer overflow in V8
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2691314: Use a copy for transferring non detachable buffers Currently, |DOMArrayBuffer::Transfer()| makes a copy, but still uses the original buffer for transferring, thus making it possible to share a regular ArrayBuffer (not SAB) with multiple threads. Bug: 1177341 Change-Id: Idb48deb1698fe555f32531bc04b55dd3e1fb0a06 Reviewed-by: Srinivas Sista <[email protected]> Cr-Commit-Position: refs/branch-heads/4145@{#6} Cr-Branched-From: 247755238324ad7d4f4b4420523b887e49df2e48-refs/heads/master@{#768051} Reviewed-by: Allan Sandfeld Jensen <[email protected]> Reviewed-by: Michal Klocek <[email protected]>
1 parent 4e9b94e commit 3e5d228

File tree

2 files changed

+15
-2
lines changed

2 files changed

+15
-2
lines changed

chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -44,13 +44,24 @@ bool DOMArrayBuffer::Transfer(v8::Isolate* isolate,
4444
to_transfer =
4545
DOMArrayBuffer::Create(Buffer()->Data(), Buffer()->ByteLength());
4646
}
47+
return to_transfer->TransferNeuterable(isolate, result);
48+
}
49+
50+
bool DOMArrayBuffer::TransferNeuterable(v8::Isolate* isolate,
51+
WTF::ArrayBufferContents& result) {
52+
DCHECK(IsNeuterable(isolate));
53+
54+
if (IsNeutered()) {
55+
result.Neuter();
56+
return false;
57+
}
4758

48-
if (!to_transfer->Buffer()->Transfer(result))
59+
if (!Buffer()->Transfer(result))
4960
return false;
5061

5162
Vector<v8::Local<v8::ArrayBuffer>, 4> buffer_handles;
5263
v8::HandleScope handle_scope(isolate);
53-
AccumulateArrayBuffersForAllWorlds(isolate, to_transfer, buffer_handles);
64+
AccumulateArrayBuffersForAllWorlds(isolate, this, buffer_handles);
5465

5566
for (const auto& buffer_handle : buffer_handles)
5667
buffer_handle->Neuter();

chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,8 @@ class CORE_EXPORT DOMArrayBuffer final : public DOMArrayBufferBase {
5454
v8::Local<v8::Object> creation_context) override;
5555

5656
private:
57+
bool TransferNeuterable(v8::Isolate*, WTF::ArrayBufferContents& result);
58+
5759
explicit DOMArrayBuffer(scoped_refptr<WTF::ArrayBuffer> buffer)
5860
: DOMArrayBufferBase(std::move(buffer)) {}
5961
};

0 commit comments

Comments
 (0)