Version 5.0.71.47 (cherry-pick)
Merged 3a9bfecfe41737aaf0dbf92ce68352f8acaaaf73
Fix overflow issue in Zone::New
BUG=chromium:606115
LOG=N
R=cbruni@chromium.org
Review URL: https://codereview.chromium.org/1945313002 .
Cr-Commit-Position: refs/branch-heads/5.0@{#56}
Cr-Branched-From: ad16e6c2cbd2c6b0f2e8ff944ac245561c682ac2-refs/heads/5.0.71@{#1}
Cr-Branched-From: bd9df50d75125ee2ad37b3d92c8f50f0a8b5f030-refs/heads/master@{#34215}
diff --git a/include/v8-version.h b/include/v8-version.h
index 6bb1b61..cde8bf1 100644
--- a/include/v8-version.h
+++ b/include/v8-version.h
@@ -11,7 +11,7 @@
#define V8_MAJOR_VERSION 5
#define V8_MINOR_VERSION 0
#define V8_BUILD_NUMBER 71
-#define V8_PATCH_LEVEL 46
+#define V8_PATCH_LEVEL 47
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
diff --git a/src/zone.cc b/src/zone.cc
index 9dcebba..1f722f2 100644
--- a/src/zone.cc
+++ b/src/zone.cc
@@ -105,7 +105,10 @@
Address result = position_;
const size_t size_with_redzone = size + kASanRedzoneBytes;
- if (limit_ < position_ + size_with_redzone) {
+ const uintptr_t limit = reinterpret_cast<uintptr_t>(limit_);
+ const uintptr_t position = reinterpret_cast<uintptr_t>(position_);
+ // position_ > limit_ can be true after the alignment correction above.
+ if (limit < position || size_with_redzone > limit - position) {
result = NewExpand(size_with_redzone);
} else {
position_ += size_with_redzone;
@@ -222,7 +225,10 @@
// Make sure the requested size is already properly aligned and that
// there isn't enough room in the Zone to satisfy the request.
DCHECK_EQ(size, RoundDown(size, kAlignment));
- DCHECK_LT(limit_, position_ + size);
+ DCHECK(limit_ < position_ ||
+ reinterpret_cast<uintptr_t>(limit_) -
+ reinterpret_cast<uintptr_t>(position_) <
+ size);
// Compute the new segment size. We use a 'high water mark'
// strategy, where we increase the segment size every time we expand