From 6b92a7132141909eef8ebbf5283627e8e5a26786 Mon Sep 17 00:00:00 2001 From: "mstarzinger@chromium.org" Date: Mon, 15 Jul 2013 11:41:41 +0000 Subject: [PATCH] v8: back-port fix for CVE-2013-2882 Quoting the CVE: Google V8, as used in Google Chrome before 28.0.1500.95, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion." Likely has zero impact on node.js because it only runs local, trusted code but let's apply it anyway. This is a back-port of upstream commit r15665. Original commit log: Use internal array as API function cache. R=yangguo@chromium.org BUG=chromium:260106 TEST=cctest/test-api/Regress260106 Review URL: https://codereview.chromium.org/19159003 Fixes #5973. --- deps/v8/src/apinatives.js | 2 +- deps/v8/test/cctest/test-api.cc | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/deps/v8/src/apinatives.js b/deps/v8/src/apinatives.js index 79b41dd..adefab6 100644 --- a/deps/v8/src/apinatives.js +++ b/deps/v8/src/apinatives.js @@ -37,7 +37,7 @@ function CreateDate(time) { } -var kApiFunctionCache = {}; +var kApiFunctionCache = new InternalArray(); var functionCache = kApiFunctionCache; diff --git a/deps/v8/test/cctest/test-api.cc b/deps/v8/test/cctest/test-api.cc index 728a8f7..bcd28bd 100644 --- a/deps/v8/test/cctest/test-api.cc +++ b/deps/v8/test/cctest/test-api.cc @@ -17707,6 +17707,17 @@ THREADED_TEST(Regress157124) { } +THREADED_TEST(Regress260106) { + LocalContext context; + v8::HandleScope scope(context->GetIsolate()); + Local templ = FunctionTemplate::New(DummyCallHandler); + CompileRun("for (var i = 0; i < 128; i++) Object.prototype[i] = 0;"); + Local function = templ->GetFunction(); + CHECK(!function.IsEmpty()); + CHECK(function->IsFunction()); +} + + #ifndef WIN32 class ThreadInterruptTest { public: -- 2.7.4