Fix ValueDeserializer::ReadDouble() bounds check

If end_ is smaller than sizeof(double), the result would wrap
around, and lead to an invalid memory access.

Refs: nodejs/node#37978
Change-Id: Ibc8ddcb0c090358789a6a02f550538f91d431c1d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2801353
Reviewed-by: Marja Hölttä <[email protected]>
Commit-Queue: Marja Hölttä <[email protected]>
Cr-Commit-Position: refs/heads/master@{#73800}

Author: cjihrig

src/objects/value-serializer.cc

@@ -1202,7 +1202,8 @@ Maybe<T> ValueDeserializer::ReadZigZag() {
 
 Maybe<double> ValueDeserializer::ReadDouble() {
   // Warning: this uses host endianness.
-  if (position_ > end_ - sizeof(double)) return Nothing<double>();
+  if (sizeof(double) > static_cast<unsigned>(end_ - position_))
+    return Nothing<double>();
   double value;
   base::Memcpy(&value, position_, sizeof(double));
   position_ += sizeof(double);