[Backport] CVE-2021-21156: Heap buffer overflow in V8

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2691314: Use a copy for transferring non detachable buffers Currently, |DOMArrayBuffer::Transfer()| makes a copy, but still uses the original buffer for transferring, thus making it possible to share a regular ArrayBuffer (not SAB) with multiple threads. Bug: 1177341 Change-Id: Idb48deb1698fe555f32531bc04b55dd3e1fb0a06 Reviewed-by: Srinivas Sista <[email protected]> Cr-Commit-Position: refs/branch-heads/4145@{#6} Cr-Branched-From: 247755238324ad7d4f4b4420523b887e49df2e48-refs/heads/master@{#768051} Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qt · Feb 19, 2021 · 472fd21 · 472fd21
1 parent ab1d490
commit 472fd21
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc
@@ -47,6 +47,13 @@ bool DOMArrayBuffer::Transfer(v8::Isolate* isolate,
         DOMArrayBuffer::Create(Content()->Data(), ByteLengthAsSizeT());
   }
 
+  return to_transfer->TransferDetachable(isolate, result);
+}
+
+bool DOMArrayBuffer::TransferDetachable(v8::Isolate* isolate,
+                                        ArrayBufferContents& result) {
+  DCHECK(IsDetachable(isolate));
+
   if (IsDetached()) {
     result.Detach();
     return false;
@@ -62,7 +69,7 @@ bool DOMArrayBuffer::Transfer(v8::Isolate* isolate,
 
   Vector<v8::Local<v8::ArrayBuffer>, 4> buffer_handles;
   v8::HandleScope handle_scope(isolate);
-  AccumulateArrayBuffersForAllWorlds(isolate, to_transfer, buffer_handles);
+  AccumulateArrayBuffersForAllWorlds(isolate, this, buffer_handles);
 
   for (const auto& buffer_handle : buffer_handles)
     buffer_handle->Detach();

diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h
@@ -78,6 +78,9 @@ class CORE_EXPORT DOMArrayBuffer final : public DOMArrayBufferBase {
 
   v8::Local<v8::Value> Wrap(v8::Isolate*,
                             v8::Local<v8::Object> creation_context) override;
+
+ private:
+  bool TransferDetachable(v8::Isolate*, ArrayBufferContents& result);
 };
 
 }  // namespace blink