LibJS: Do not assume that IsArray means the object type is an Array

IsArray returns true if the object is an Array *or* if it is a ProxyObject whose target is an Array. Therefore, we cannot downcast to an Array based on IsArray. Luckily, we don't actually need an Array here; SerializeJSONArray only needs an Object. This was caught by UBSAN with vptr sanitation enabled.
Author: https://github.com/trflynn89 Commit: 3efe611dbf Pull-request: https://github.com/SerenityOS/serenity/pull/15247 Reviewed-by: https://github.com/bgianfo ✅
2025-07-29 20:29:18 +00:00 · 2022-09-14 16:11:35 -04:00 · 2022-09-14 16:11:35 -04:00 · 3efe611dbf · 2024-07-17 07:09:54 +09:00
commit 3efe611dbf
parent 98a6f962a0
1 changed files with 1 additions and 1 deletions
--- a/Userland/Libraries/LibJS/Runtime/JSONObject.cpp
+++ b/Userland/Libraries/LibJS/Runtime/JSONObject.cpp
@ -207,7 +207,7 @@ ThrowCompletionOr<String> JSONObject::serialize_json_property(VM& vm, StringifyS

        // b. If isArray is true, return ? SerializeJSONArray(state, value).
        if (is_array)
-            return serialize_json_array(vm, state, static_cast<Array&>(value.as_object()));
+            return serialize_json_array(vm, state, value.as_object());

        // c. Return ? SerializeJSONObject(state, value).
        return serialize_json_object(vm, state, value.as_object());