[builtins] Harden Array.prototype.concat.

blendin · Commit Bot · commit 8284359ed060 · 2021-04-12T08:39:12.000Z
Defence in depth patch to prevent JavaScript from executing from within IterateElements. R=ishell@chromium.org R=cbruni@chromium.org Bug: chromium:1195977 Change-Id: Ie59d468b73b94818cea986a3ded0804f6dddd10b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2819941 Reviewed-by: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#73898}
diff --git a/AUTHORS b/AUTHORS
@@ -69,6 +69,7 @@ Ben Newman <ben@meteor.com>
 Ben Noordhuis <info@bnoordhuis.nl>
 Benjamin Tan <demoneaux@gmail.com>
 Bert Belder <bertbelder@gmail.com>
+Brendon Tiszka <btiszka@gmail.com>
 Brice Dobry <brice.dobry@futurewei.com>
 Burcu Dogan <burcujdogan@gmail.com>
 Caitlin Potter <caitpotter88@gmail.com>
diff --git a/src/builtins/builtins-array.cc b/src/builtins/builtins-array.cc
@@ -1089,6 +1089,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
     case HOLEY_SEALED_ELEMENTS:
     case HOLEY_NONEXTENSIBLE_ELEMENTS:
     case HOLEY_ELEMENTS: {
+      // Disallow execution so the cached elements won't change mid execution.
+      DisallowJavascriptExecution no_js(isolate);
+
       // Run through the elements FixedArray and use HasElement and GetElement
       // to check the prototype for missing elements.
       Handle<FixedArray> elements(FixedArray::cast(array->elements()), isolate);
@@ -1115,6 +1118,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
     }
     case HOLEY_DOUBLE_ELEMENTS:
     case PACKED_DOUBLE_ELEMENTS: {
+      // Disallow execution so the cached elements won't change mid execution.
+      DisallowJavascriptExecution no_js(isolate);
+
       // Empty array is FixedArray but not FixedDoubleArray.
       if (length == 0) break;
       // Run through the elements FixedArray and use HasElement and GetElement
@@ -1151,6 +1157,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
     }
 
     case DICTIONARY_ELEMENTS: {
+      // Disallow execution so the cached dictionary won't change mid execution.
+      DisallowJavascriptExecution no_js(isolate);
+
       Handle<NumberDictionary> dict(array->element_dictionary(), isolate);
       std::vector<uint32_t> indices;
       indices.reserve(dict->Capacity() / 2);

-Original file line number
+Diff line change
 Ben Noordhuis <[email protected]>
 Benjamin Tan <[email protected]>
 Bert Belder <[email protected]>
 +Brendon Tiszka <[email protected]>
 Brice Dobry <[email protected]>
 Burcu Dogan <[email protected]>
 Caitlin Potter <[email protected]>