v8: back-port fix for CVE-2013-2882

mstarzinger@chromium.org · bnoordhuis · commit 6b92a7132141 · 2013-08-05T18:17:24.000+02:00
Quoting the CVE: Google V8, as used in Google Chrome before 28.0.1500.95, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion." Likely has zero impact on node.js because it only runs local, trusted code but let's apply it anyway. This is a back-port of upstream commit r15665. Original commit log: Use internal array as API function cache. R=yangguo@chromium.org BUG=chromium:260106 TEST=cctest/test-api/Regress260106 Review URL: https://codereview.chromium.org/19159003 Fixes #5973.
diff --git a/deps/v8/src/apinatives.js b/deps/v8/src/apinatives.js
@@ -37,7 +37,7 @@ function CreateDate(time) {
 }
 
 
-var kApiFunctionCache = {};
+var kApiFunctionCache = new InternalArray();
 var functionCache = kApiFunctionCache;
 
 
diff --git a/deps/v8/test/cctest/test-api.cc b/deps/v8/test/cctest/test-api.cc
@@ -17707,6 +17707,17 @@ THREADED_TEST(Regress157124) {
 }
 
 
+THREADED_TEST(Regress260106) {
+  LocalContext context;
+  v8::HandleScope scope(context->GetIsolate());
+  Local<FunctionTemplate> templ = FunctionTemplate::New(DummyCallHandler);
+  CompileRun("for (var i = 0; i < 128; i++) Object.prototype[i] = 0;");
+  Local<Function> function = templ->GetFunction();
+  CHECK(!function.IsEmpty());
+  CHECK(function->IsFunction());
+}
+
+
 #ifndef WIN32
 class ThreadInterruptTest {
  public:

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ function CreateDate(time) {`
`37`	`37`	`}`
`38`	`38`
`39`	`39`
`40`		`-var kApiFunctionCache = {};`
	`40`	`+var kApiFunctionCache = new InternalArray();`
`41`	`41`	`var functionCache = kApiFunctionCache;`
`42`	`42`
`43`	`43`