[Backport] CVE-2021-21227: Insufficient data validation in V8

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/2839559: Merged: [compiler] Fix a bug in VisitSpeculativeIntegerAdditiveOp Revision: 9313c4ce3f32ad81df1c65becccec7e129181ce3 BUG=chromium:1199345 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true [email protected] Change-Id: I0ee9f13815b1a7d248d4caa506c6930697e1866c Commit-Queue: Georg Neis <[email protected]> Reviewed-by: Nico Hartmann <[email protected]> Cr-Commit-Position: refs/branch-heads/9.0@{#41} Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1} Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001} Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qt · May 7, 2021 · bc38ef7 · bc38ef7
1 parent 68da9a7
commit bc38ef7
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/chromium/v8/src/compiler/simplified-lowering.cc b/chromium/v8/src/compiler/simplified-lowering.cc
@@ -1318,10 +1318,15 @@ class RepresentationSelector {
     Type right_feedback_type = TypeOf(node->InputAt(1));
 
     // Using Signed32 as restriction type amounts to promising there won't be
-    // signed overflow. This is incompatible with relying on a Word32
-    // truncation in order to skip the overflow check.
+    // signed overflow. This is incompatible with relying on a Word32 truncation
+    // in order to skip the overflow check.  Similarly, we must not drop -0 from
+    // the result type unless we deopt for -0 inputs.
     Type const restriction =
-        truncation.IsUsedAsWord32() ? Type::Any() : Type::Signed32();
+        truncation.IsUsedAsWord32()
+            ? Type::Any()
+            : (truncation.identify_zeros() == kIdentifyZeros)
+                  ? Type::Signed32OrMinusZero()
+                  : Type::Signed32();
 
     // Handle the case when no int32 checks on inputs are necessary (but
     // an overflow check is needed on the output). Note that we do not