LibJS: Don't assume Object.setPrototypeOf() prototype value is an object

We're crashing otherwise. Also it was not possible to set the prototype to null.
Author: https://github.com/linusg Commit: https://github.com/SerenityOS/serenity/commit/8cf1ded478a Pull-request: https://github.com/SerenityOS/serenity/pull/2478
2025-04-22 04:25:13 +00:00 · 2020-06-02 12:25:21 +01:00 · 2020-06-02 12:25:21 +01:00 · 8cf1ded478 · 2024-07-19 05:53:49 +09:00
commit 8cf1ded478
parent 1a64bdd80c
2 changed files with 18 additions and 1 deletions
--- a/Libraries/LibJS/Runtime/ObjectConstructor.cpp
+++ b/Libraries/LibJS/Runtime/ObjectConstructor.cpp
@ -102,7 +102,17 @@ Value ObjectConstructor::set_prototype_of(Interpreter& interpreter)
    auto* object = interpreter.argument(0).to_object(interpreter);
    if (interpreter.exception())
        return {};
-    object->set_prototype(&const_cast<Object&>(interpreter.argument(1).as_object()));
+    auto prototype_value = interpreter.argument(1);
+    Object* prototype;
+    if (prototype_value.is_null()) {
+        prototype = nullptr;
+    } else if (prototype_value.is_object()) {
+        prototype = &prototype_value.as_object();
+    } else {
+        interpreter.throw_exception<TypeError>("Prototype must be null or object");
+        return {};
+    }
+    object->set_prototype(prototype);
    return object;
 }

--- a/Libraries/LibJS/Tests/Object.setPrototypeOf.js
+++ b/Libraries/LibJS/Tests/Object.setPrototypeOf.js
@ -3,6 +3,13 @@ load("test-common.js");
 try {
    assert(Object.setPrototypeOf.length === 2);

+    assertThrowsError(() => {
+        Object.setPrototypeOf({}, "foo");
+    }, {
+        error: TypeError,
+        message: "Prototype must be null or object"
+    });
+
    o = {};
    assert(Object.setPrototypeOf(o, {}) === o);