mirrors/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-04-21 03:55:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

LibJS: Don't change offset when reconfiguring property in unique shape

Browse source 
When changing the attributes of an existing property of an object with
unique shape we must not change the PropertyMetadata offset.
Doing so without resizing the underlying storage vector caused an OOB
write crash.

Fixes #3735.
This commit is contained in:
Linus Groh 2020-10-10 14:42:23 +01:00 committed by Andreas Kling
parent fcd263f17b
commit a5bf6cfff9
Notes: sideshowbarker 2024-07-19 01:56:39 +09:00
2 changed files with 14 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
Libraries/LibJS/Runtime/Shape.cpp
View file

@ -195,8 +195,10 @@ void Shape::reconfigure_property_in_unique_shape(const StringOrSymbol& property_
{
ASSERT(is_unique());
ASSERT(m_property_table);
ASSERT(m_property_table->contains(property_name));
m_property_table->set(property_name, { m_property_table->size(), attributes });
auto it = m_property_table->find(property_name);
ASSERT(it != m_property_table->end());
it->value.attributes = attributes;
m_property_table->set(property_name, it->value);
}
void Shape::remove_property_from_unique_shape(const StringOrSymbol& property_name, size_t offset)

10
Libraries/LibJS/Tests/builtins/Object/Object.defineProperty.js
View file

@ -148,6 +148,16 @@ describe("normal functionality", () => {
expect((o[s] = 5)).toBe(5);
expect((o[s] = 4)).toBe(4);
});
test("issue #3735, reconfiguring property in unique shape", () => {
const o = {};
// In LibJS an object with more than 100 properties gets a unique shape
for (let i = 0; i < 101; ++i) {
o[`property${i}`] = i;
}
Object.defineProperty(o, "x", { configurable: true });
Object.defineProperty(o, "x", { configurable: false });
});
});
describe("errors", () => {