diff options
| author | Kent Hansen <kent.hansen@nokia.com> | 2012-07-09 18:36:22 (GMT) |
|---|---|---|
| committer | Qt by Nokia <qt-info@nokia.com> | 2012-08-03 09:44:22 (GMT) |
| commit | 8a67366057bbfb6c65f46867edbb45c83af09627 (patch) | |
| tree | 4857b452cd2d083fdce94b367e02c27f20540f65 /src/3rdparty | |
| parent | e92293cf46337e8f533908846b9e80b9ae286d6a (diff) | |
| download | Qt-8a67366057bbfb6c65f46867edbb45c83af09627.zip Qt-8a67366057bbfb6c65f46867edbb45c83af09627.tar.gz Qt-8a67366057bbfb6c65f46867edbb45c83af09627.tar.bz2 | |
Check that property descriptor members are valid before using them
Even if getPropertyDescriptor() returns true, it's not guaranteed
that PropertyDescriptor::setter() or PropertyDescriptor::value()
returns a valid JSC value.
This code is in an "#ifdef QT_BUILD_SCRIPT_LIB" block, i.e. a
patch we added on top of the original JSC sources.
The lack of checks caused the getter-in-prototype and
indexed-accessors tests from the V8 test suite to assert in
debug mode.
Cherry-picked from qt5/qtscript commit
db17c14cace450e20745839014075c0263f8618f
Task-number: QTBUG-17915
Change-Id: I55db26cfe4b63363be92a0b75f2c69b878ea9ef3
Reviewed-by: Olivier Goffart <ogoffart@woboq.com>
Diffstat (limited to 'src/3rdparty')
| -rw-r--r-- | src/3rdparty/javascriptcore/JavaScriptCore/runtime/JSObject.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/runtime/JSObject.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/runtime/JSObject.cpp index 0e3475f..8706b8d 100644 --- a/src/3rdparty/javascriptcore/JavaScriptCore/runtime/JSObject.cpp +++ b/src/3rdparty/javascriptcore/JavaScriptCore/runtime/JSObject.cpp @@ -138,8 +138,8 @@ void JSObject::put(ExecState* exec, const Identifier& propertyName, JSValue valu PropertyDescriptor descriptor; if (obj->getPropertyDescriptor(exec, propertyName, descriptor)) { JSObject* setterFunc; - if ((descriptor.isAccessorDescriptor() && ((setterFunc = asObject(descriptor.setter())), true)) - || (descriptor.value().isGetterSetter() && ((setterFunc = asGetterSetter(descriptor.value())->setter()), true))) { + if ((descriptor.isAccessorDescriptor() && !!descriptor.setter() && ((setterFunc = asObject(descriptor.setter())), true)) + || (!!descriptor.value() && descriptor.value().isGetterSetter() && ((setterFunc = asGetterSetter(descriptor.value())->setter()), true))) { #else if (JSValue gs = obj->getDirect(propertyName)) { if (gs.isGetterSetter()) { |