Commits on Dec 13, 2013

1. v8: backport fix for CVE-2013-{6639|6640} …

   Quoting CVE-2013-6639:
   
       The DehoistArrayIndex function in hydrogen-dehoist.cc in Google V8
       before 3.22.24.7, as used in Google Chrome before 31.0.1650.63,
       allows remote attackers to cause a denial of service (out-of-bounds
       write) or possibly have unspecified other impact via JavaScript code
       that sets the value of an array element with a crafted index.
   
   Quoting CVE-2013-6640:
   
       The DehoistArrayIndex function in hydrogen-dehoist.cc in Google V8
       before 3.22.24.7, as used in Google Chrome before 31.0.1650.63,
       allows remote attackers to cause a denial of service (out-of-bounds
       read) via JavaScript code that sets a variable to the value of an
       array element with a crafted index.
   
   Like 6b92a7, this is unlikely to affect node.js because it only runs
   local, trusted code.  However, if there exists some module somewhere
   that populates an array index with remotely provided data this could
   very well be used to crash a remote server running node.  Defense in
   depth and all.
   
   This is a backport of upstream commit r17801. Original commit log:
   
       Limit size of dehoistable array indices
   
       LOG=Y
       BUG=chromium:319835,chromium:319860
       R=dslomov@chromium.org
   
       Review URL: https://codereview.chromium.org/74113002

   

   jakobkummerow authored and indutny committed Dec 13, 2013
   Copy the full SHA

   39e2426 View commit details

   Browse the repository at this point in the history

2. Merge branch 'v0.10' …

   Conflicts:
   	deps/v8/src/elements-kind.cc
   	deps/v8/src/elements-kind.h
   	deps/v8/src/hydrogen-instructions.h
   	deps/v8/src/hydrogen.cc
   	deps/v8/src/lithium.cc
   	deps/v8/src/lithium.h

   

   indutny committed Dec 13, 2013
   Copy the full SHA

   6b4dc61 View commit details

   Browse the repository at this point in the history