v8: back-port fix for CVE-2013-2882

Quoting the CVE:

    Google V8, as used in Google Chrome before 28.0.1500.95, allows
    remote attackers to cause a denial of service or possibly have
    unspecified other impact via vectors that leverage "type confusion."

Likely has zero impact on node.js because it only runs local, trusted
code but let's apply it anyway.

This is a back-port of upstream commit r15665. Original commit log:

    Use internal array as API function cache.

    R=yangguo@chromium.org
    BUG=chromium:260106
    TEST=cctest/test-api/Regress260106

    Review URL: https://codereview.chromium.org/19159003

Fixes #5973.

diff --git a/deps/v8/src/apinatives.js b/deps/v8/src/apinatives.js
index 79b41dd..adefab6 100644 (file)
--- a/deps/v8/src/apinatives.js
+++ b/deps/v8/src/apinatives.js
@@ -37,7 +37,7 @@ function CreateDate(time) {
 }
 
 
-var kApiFunctionCache = {};
+var kApiFunctionCache = new InternalArray();
 var functionCache = kApiFunctionCache;
 
 

diff --git a/deps/v8/test/cctest/test-api.cc b/deps/v8/test/cctest/test-api.cc
index 728a8f7..bcd28bd 100644 (file)
--- a/deps/v8/test/cctest/test-api.cc
+++ b/deps/v8/test/cctest/test-api.cc
@@ -17707,6 +17707,17 @@ THREADED_TEST(Regress157124) {
 }
 
 
+THREADED_TEST(Regress260106) {
+  LocalContext context;
+  v8::HandleScope scope(context->GetIsolate());
+  Local<FunctionTemplate> templ = FunctionTemplate::New(DummyCallHandler);
+  CompileRun("for (var i = 0; i < 128; i++) Object.prototype[i] = 0;");
+  Local<Function> function = templ->GetFunction();
+  CHECK(!function.IsEmpty());
+  CHECK(function->IsFunction());
+}
+
+
 #ifndef WIN32
 class ThreadInterruptTest {
  public: