Merge tag 'v4.4.6' into v4.x-port

2016-06-23 Version 4.4.6 'Argon' (LTS)
ibmruntimes · Jun 24, 2016 · 68a43b7 · 68a43b7
2 parents 3be2bab + a4d9beb
commit 68a43b7
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # Node.js ChangeLog
 
+## 2016-06-22, Version 4.4.6 'Argon' (LTS), @thealphanerd
+
+This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities.
+
+This release is specifically related to a Buffer overflow vulnerability discovered in v8, more details can be found [in the CVE](https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1669)
+
+### Commits
+
+* [[`134c3b3977`](https://github.com/nodejs/node/commit/134c3b3977)] - **deps**: backport 3a9bfec from v8 upstream (Ben Noordhuis) [nodejs/node-private#38](https://github.com/nodejs/node-private/pull/38)
+
 ## 2016-05-24, Version 4.4.5 'Argon' (LTS), @thealphanerd
 
 ### Notable Changes

diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 4
 #define V8_MINOR_VERSION 5
 #define V8_BUILD_NUMBER 103
-#define V8_PATCH_LEVEL 35
+#define V8_PATCH_LEVEL 36
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

diff --git a/deps/v8/src/zone.cc b/deps/v8/src/zone.cc
@@ -105,7 +105,10 @@ void* Zone::New(size_t size) {
   Address result = position_;
 
   const size_t size_with_redzone = size + kASanRedzoneBytes;
-  if (limit_ < position_ + size_with_redzone) {
+  const uintptr_t limit = reinterpret_cast<uintptr_t>(limit_);
+  const uintptr_t position = reinterpret_cast<uintptr_t>(position_);
+  // position_ > limit_ can be true after the alignment correction above.
+  if (limit < position || size_with_redzone > limit - position) {
     result = NewExpand(size_with_redzone);
   } else {
     position_ += size_with_redzone;
@@ -222,7 +225,10 @@ Address Zone::NewExpand(size_t size) {
   // Make sure the requested size is already properly aligned and that
   // there isn't enough room in the Zone to satisfy the request.
   DCHECK_EQ(size, RoundDown(size, kAlignment));
-  DCHECK_LT(limit_, position_ + size);
+  DCHECK(limit_ < position_ ||
+         reinterpret_cast<uintptr_t>(limit_) -
+                 reinterpret_cast<uintptr_t>(position_) <
+             size);
 
   // Compute the new segment size. We use a 'high water mark'
   // strategy, where we increase the segment size every time we expand

diff --git a/src/node_version.h b/src/node_version.h
@@ -8,7 +8,7 @@
 #define NODE_VERSION_IS_LTS 1
 #define NODE_VERSION_LTS_CODENAME "Argon"
 
-#define NODE_VERSION_IS_RELEASE 0
+#define NODE_VERSION_IS_RELEASE 1
 
 #ifndef NODE_STRINGIFY
 #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)