[Backport] CVE-2024-12695: Out of bounds write in V8

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/6097572:
Merged: [ic] fix Object.assign clearing object hashes

The Object.assign fastcase should not override the hash of the to
object.

Bug: 383647255
(cherry picked from commit 357d0dd4bc7f64eb81cdf49c5cf3699cf151909d)

Change-Id: I2bbf10614d7997a396800cef33144875309010d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6097572
Reviewed-by: Camillo Bruni <[email protected]>
Commit-Queue: Igor Sheludko <[email protected]>
Cr-Commit-Position: refs/branch-heads/13.0@{#43}
Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/615320
Reviewed-by: Anu Aliyas <[email protected]>

Author: o-

chromium/v8/src/builtins/builtins-object-gen.cc

@@ -511,6 +511,13 @@ TF_BUILTIN(ObjectAssign, ObjectBuiltinsAssembler) {
     GotoIfNot(TaggedEqual(LoadElements(CAST(to)), EmptyFixedArrayConstant()),
               &slow_path);
 
+    // Ensure the properties field is not used to store a hash.
+    TNode<Object> properties = LoadJSReceiverPropertiesOrHash(to);
+    GotoIf(TaggedIsSmi(properties), &slow_path);
+    CSA_DCHECK(this,
+               Word32Or(TaggedEqual(properties, EmptyFixedArrayConstant()),
+                        IsPropertyArray(CAST(properties))));
+
     Label continue_fast_path(this), runtime_map_lookup(this, Label::kDeferred);
 
     // Check if our particular source->target combination is fast clonable.