From ca13f7aaf36ee9f88368f15f294acf171c0af859 Mon Sep 17 00:00:00 2001
From: cjihrig <cjihrig@gmail.com>
Date: Thu, 1 Apr 2021 20:41:04 -0400
Subject: [PATCH 1/2] deps: V8: cherry-pick 501482cbc704
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Original commit message:

    Fix ValueDeserializer::ReadDouble() bounds check

    If end_ is smaller than sizeof(double), the result would wrap
    around, and lead to an invalid memory access.

    Refs: https://github.com/nodejs/node/issues/37978
    Change-Id: Ibc8ddcb0c090358789a6a02f550538f91d431c1d
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2801353
    Reviewed-by: Marja Hölttä <marja@chromium.org>
    Commit-Queue: Marja Hölttä <marja@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#73800}

PR-URL: https://github.com/nodejs/node/pull/38121
Fixes: https://github.com/nodejs/node/issues/37978
Refs: https://github.com/v8/v8/commit/501482cbc704
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
---
 common.gypi                             | 2 +-
 deps/v8/src/objects/value-serializer.cc | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/common.gypi b/common.gypi
index 5e6383ab3cc44d..ba6b791a6ccf82 100644
--- a/common.gypi
+++ b/common.gypi
@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.8',
+    'v8_embedder_string': '-node.9',
 
     ##### V8 defaults for Node.js #####
 
diff --git a/deps/v8/src/objects/value-serializer.cc b/deps/v8/src/objects/value-serializer.cc
index 4ecf4832989292..246281e4e2b44b 100644
--- a/deps/v8/src/objects/value-serializer.cc
+++ b/deps/v8/src/objects/value-serializer.cc
@@ -1190,7 +1190,8 @@ Maybe<T> ValueDeserializer::ReadZigZag() {
 
 Maybe<double> ValueDeserializer::ReadDouble() {
   // Warning: this uses host endianness.
-  if (position_ > end_ - sizeof(double)) return Nothing<double>();
+  if (sizeof(double) > static_cast<unsigned>(end_ - position_))
+    return Nothing<double>();
   double value;
   base::Memcpy(&value, position_, sizeof(double));
   position_ += sizeof(double);

From e96773b94bbfdfd0b9d5d449ece90e4e297f9c94 Mon Sep 17 00:00:00 2001
From: cjihrig <cjihrig@gmail.com>
Date: Wed, 7 Apr 2021 21:58:54 -0400
Subject: [PATCH 2/2] test: add regression test for serdes readDouble()

Refs: https://github.com/nodejs/node/issues/37978
PR-URL: https://github.com/nodejs/node/pull/38121
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
---
 test/parallel/test-v8-serdes.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/test/parallel/test-v8-serdes.js b/test/parallel/test-v8-serdes.js
index 2ccfc9943a9175..1d3b6ff81168e7 100644
--- a/test/parallel/test-v8-serdes.js
+++ b/test/parallel/test-v8-serdes.js
@@ -236,3 +236,10 @@ const hostObject = new (internalBinding('js_stream').JSStream)();
     /^TypeError: buffer must be a TypedArray or a DataView$/,
   );
 }
+
+{
+  // Regression test for https://github.com/nodejs/node/issues/37978
+  assert.throws(() => {
+    new v8.Deserializer(new v8.Serializer().releaseBuffer()).readDouble();
+  }, /ReadDouble\(\) failed/);
+}