commit | 8cc1440e71299ca16640b4371adf378d0a61983f | [log] [tgz] |
---|---|---|
author | Bryan Ferris <bferris@google.com> | Tue Mar 05 15:05:33 2019 -0800 |
committer | Bryan Ferris <bferris@google.com> | Wed Mar 06 18:39:18 2019 +0000 |
tree | cf3f4f274abea7b17e1636158a987acaa327d777 | |
parent | ef942a244dd8b1c9b3707430b826c90ef79a897a [diff] |
Fix OOB read in libpac ast-numbering.cc From the upstream patch (https://chromium.googlesource.com/v8/v8.git/+/fbf974e2af0f62b075e62701581099211f83adb6%5E%21/#F0): """ Add missing early-bailouts in ast traversal visitors """ Bug: 117555811 Test: adb shell /data/nativetest/proxy_resolver_v8_unittest/proxy_resolver_v8_unittest Test: gts-tradefed run gts --test \ com.google.android.gts.devicepolicy.DeviceOwnerTest#testProxyPacProxyTest \ --module GtsGmscoreHostTestCases Test: PoC from bug report Merged-In: I2e02d994f107e64e4f465b4d8a02d4159a95240e Change-Id: Ia62b5ea79d79400166b7e238be1933c55730612b
diff --git a/src/ast/ast-numbering.cc b/src/ast/ast-numbering.cc index 499760d..811bd33 100644 --- a/src/ast/ast-numbering.cc +++ b/src/ast/ast-numbering.cc
@@ -616,6 +616,8 @@ if (statements == NULL) return; for (int i = 0; i < statements->length(); i++) { Visit(statements->at(i)); + if (statements->at(i)->IsJump()) + break; } }