Jess f5a6704219 LibJS: Fix UAF in ECMAScriptFunctionObject::internal_construct ... Currently, we create `this_argument` with `ordinary_create_from_constructor`, then we use `arguments_list` to build the callee_context. The issue is we don't properly model the side-effects of `ordinary_create_from_constructor`, if `new_target` is a proxy object then when we `get` the prototype, arbitrary javascript can run. This javascript could perform a function call with enough arguments to reallocate the interpreters m_argument_values_buffer vector. This is dangerous and leads to a use-after-free, as our stack frame maintains a pointer to m_argument_values_buffer (`arguments_list`).		2025-03-19 10:31:00 +01:00
..
allow-await-in-a-func-def-assigned-to-default-param.js
bogus-program-counter.js
proxied-constructor-leads-to-use-after-free.js