diff options
| author | Linus Groh <mail@linusgroh.de> | 2020-09-12 10:22:36 +0100 |
|---|---|---|
| committer | Andreas Kling <kling@serenityos.org> | 2020-09-12 11:29:39 +0200 |
| commit | 568d53c9b1eb81b38aaccd904cce682f8a7d0cf0 (patch) | |
| tree | 3dfe0f0bbe95ae8a782636dd52dbfa27bfd568c0 /Libraries/LibJS/AST.cpp | |
| parent | 75dac35d0e66c173b3ceb5e8ecf44fe771b7cd87 (diff) | |
| download | serenity-568d53c9b1eb81b38aaccd904cce682f8a7d0cf0.zip | |
LibJS: Check validity of computed_property_name() result before using it
This fixes two cases obj[expr] and obj[expr]() (MemberExpression and
CallExpression respectively) when expr throws an exception and results
in an empty value, causing a crash by passing the invalid PropertyName
created by computed_property_name() to Object::get() without checking it
first.
Fixes #3459.
Diffstat (limited to 'Libraries/LibJS/AST.cpp')
| -rw-r--r-- | Libraries/LibJS/AST.cpp | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/Libraries/LibJS/AST.cpp b/Libraries/LibJS/AST.cpp index 19161b9749..3886950442 100644 --- a/Libraries/LibJS/AST.cpp +++ b/Libraries/LibJS/AST.cpp @@ -122,7 +122,10 @@ CallExpression::ThisAndCallee CallExpression::compute_this_and_callee(Interprete auto* this_value = is_super_property_lookup ? &interpreter.this_value(global_object).as_object() : lookup_target.to_object(interpreter, global_object); if (interpreter.exception()) return {}; - auto callee = lookup_target.to_object(interpreter, global_object)->get(member_expression.computed_property_name(interpreter, global_object)).value_or(js_undefined()); + auto property_name = member_expression.computed_property_name(interpreter, global_object); + if (!property_name.is_valid()) + return {}; + auto callee = lookup_target.to_object(interpreter, global_object)->get(property_name).value_or(js_undefined()); return { this_value, callee }; } return { &global_object, m_callee->execute(interpreter, global_object) }; @@ -1589,7 +1592,10 @@ Value MemberExpression::execute(Interpreter& interpreter, GlobalObject& global_o auto* object_result = object_value.to_object(interpreter, global_object); if (interpreter.exception()) return {}; - return object_result->get(computed_property_name(interpreter, global_object)).value_or(js_undefined()); + auto property_name = computed_property_name(interpreter, global_object); + if (!property_name.is_valid()) + return {}; + return object_result->get(property_name).value_or(js_undefined()); } Value StringLiteral::execute(Interpreter& interpreter, GlobalObject&) const |