deps: V8: cherry-pick 501482cbc704

cjihrig · danielleadams · commit a6dba4de55f7 · 2021-05-08T12:44:38.000-04:00
Original commit message: Fix ValueDeserializer::ReadDouble() bounds check If end_ is smaller than sizeof(double), the result would wrap around, and lead to an invalid memory access. Refs: #37978 Change-Id: Ibc8ddcb0c090358789a6a02f550538f91d431c1d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2801353 Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#73800} PR-URL: #38121 Fixes: #37978 Refs: v8/v8@501482cbc704 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com>
diff --git a/common.gypi b/common.gypi
@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.60',
+    'v8_embedder_string': '-node.61',
 
     ##### V8 defaults for Node.js #####
 
diff --git a/deps/v8/src/objects/value-serializer.cc b/deps/v8/src/objects/value-serializer.cc
@@ -1175,7 +1175,8 @@ Maybe<T> ValueDeserializer::ReadZigZag() {
 
 Maybe<double> ValueDeserializer::ReadDouble() {
   // Warning: this uses host endianness.
-  if (position_ > end_ - sizeof(double)) return Nothing<double>();
+  if (sizeof(double) > static_cast<unsigned>(end_ - position_))
+    return Nothing<double>();
   double value;
   memcpy(&value, position_, sizeof(double));
   position_ += sizeof(double);
