Skip to content

Commit 472fd21

Browse files
Sergei Glazunovmibrunin
Sergei Glazunov
authored and
mibrunin
committed
[Backport] CVE-2021-21156: Heap buffer overflow in V8
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2691314: Use a copy for transferring non detachable buffers Currently, |DOMArrayBuffer::Transfer()| makes a copy, but still uses the original buffer for transferring, thus making it possible to share a regular ArrayBuffer (not SAB) with multiple threads. Bug: 1177341 Change-Id: Idb48deb1698fe555f32531bc04b55dd3e1fb0a06 Reviewed-by: Srinivas Sista <[email protected]> Cr-Commit-Position: refs/branch-heads/4145@{#6} Cr-Branched-From: 247755238324ad7d4f4b4420523b887e49df2e48-refs/heads/master@{#768051} Reviewed-by: Allan Sandfeld Jensen <[email protected]>
1 parent ab1d490 commit 472fd21

File tree

2 files changed

+11
-1
lines changed

2 files changed

+11
-1
lines changed

chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,13 @@ bool DOMArrayBuffer::Transfer(v8::Isolate* isolate,
4747
DOMArrayBuffer::Create(Content()->Data(), ByteLengthAsSizeT());
4848
}
4949

50+
return to_transfer->TransferDetachable(isolate, result);
51+
}
52+
53+
bool DOMArrayBuffer::TransferDetachable(v8::Isolate* isolate,
54+
ArrayBufferContents& result) {
55+
DCHECK(IsDetachable(isolate));
56+
5057
if (IsDetached()) {
5158
result.Detach();
5259
return false;
@@ -62,7 +69,7 @@ bool DOMArrayBuffer::Transfer(v8::Isolate* isolate,
6269

6370
Vector<v8::Local<v8::ArrayBuffer>, 4> buffer_handles;
6471
v8::HandleScope handle_scope(isolate);
65-
AccumulateArrayBuffersForAllWorlds(isolate, to_transfer, buffer_handles);
72+
AccumulateArrayBuffersForAllWorlds(isolate, this, buffer_handles);
6673

6774
for (const auto& buffer_handle : buffer_handles)
6875
buffer_handle->Detach();

chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,9 @@ class CORE_EXPORT DOMArrayBuffer final : public DOMArrayBufferBase {
7878

7979
v8::Local<v8::Value> Wrap(v8::Isolate*,
8080
v8::Local<v8::Object> creation_context) override;
81+
82+
private:
83+
bool TransferDetachable(v8::Isolate*, ArrayBufferContents& result);
8184
};
8285

8386
} // namespace blink

0 commit comments

Comments
 (0)