commit | a84c4b763ed287f762e4112c73d9fb357605b02c | [log] [tgz] |
---|---|---|
author | Bryan Ferris <bferris@google.com> | Tue Mar 05 15:05:33 2019 -0800 |
committer | android-build-team Robot <android-build-team-robot@google.com> | Wed Mar 13 18:01:12 2019 +0000 |
tree | 2b7d37b4afa7e78a32735e55583fe2ab6297972f | |
parent | f88303717d5ed67e6ba13c7177ebd3aada958caf [diff] |
Fix OOB read in libpac ast-numbering.cc From the upstream patch (https://chromium.googlesource.com/v8/v8.git/+/fbf974e2af0f62b075e62701581099211f83adb6%5E%21/#F0): """ Add missing early-bailouts in ast traversal visitors """ Bug: 117555811 Test: adb shell /data/nativetest/proxy_resolver_v8_unittest/proxy_resolver_v8_unittest Test: gts-tradefed run gts --test \ com.google.android.gts.devicepolicy.DeviceOwnerTest#testProxyPacProxyTest \ --module GtsGmscoreHostTestCases Test: PoC from bug report Merged-In: I2e02d994f107e64e4f465b4d8a02d4159a95240e Change-Id: Ia62b5ea79d79400166b7e238be1933c55730612b (cherry picked from commit 8cc1440e71299ca16640b4371adf378d0a61983f)
diff --git a/src/ast/ast-numbering.cc b/src/ast/ast-numbering.cc index 499760d..811bd33 100644 --- a/src/ast/ast-numbering.cc +++ b/src/ast/ast-numbering.cc
@@ -616,6 +616,8 @@ if (statements == NULL) return; for (int i = 0; i < statements->length(); i++) { Visit(statements->at(i)); + if (statements->at(i)->IsJump()) + break; } }