LibJS: Don't assume Object.setPrototypeOf() prototype value is an object

We're crashing otherwise. Also it was not possible to set the prototype to null.
author: Linus Groh <mail@linusgroh.de> 2020-06-02 12:25:21 +0100
committer: Andreas Kling <kling@serenityos.org> 2020-06-02 13:51:02 +0200
commit: 8cf1ded478a702d2a8235b16db413e04e0147dd1 (patch)
tree: 152f5cd0eb22bce1e4b2a8f15a2b71cb1440eddd /Libraries/LibJS/Runtime/ObjectConstructor.cpp
parent: 1a64bdd80c8a1c54f92842350c42814a24bd8e7a (diff)
download: serenity-8cf1ded478a702d2a8235b16db413e04e0147dd1.zip
1 files changed, 11 insertions, 1 deletions
diff --git a/Libraries/LibJS/Runtime/ObjectConstructor.cpp b/Libraries/LibJS/Runtime/ObjectConstructor.cpp
index c9ed9087f2..23b247d6b7 100644
--- a/Libraries/LibJS/Runtime/ObjectConstructor.cpp
+++ b/Libraries/LibJS/Runtime/ObjectConstructor.cpp
@@ -102,7 +102,17 @@ Value ObjectConstructor::set_prototype_of(Interpreter& interpreter)
     auto* object = interpreter.argument(0).to_object(interpreter);
     if (interpreter.exception())
         return {};
-    object->set_prototype(&const_cast<Object&>(interpreter.argument(1).as_object()));
+    auto prototype_value = interpreter.argument(1);
+    Object* prototype;
+    if (prototype_value.is_null()) {
+        prototype = nullptr;
+    } else if (prototype_value.is_object()) {
+        prototype = &prototype_value.as_object();
+    } else {
+        interpreter.throw_exception<TypeError>("Prototype must be null or object");
+        return {};
+    }
+    object->set_prototype(prototype);
     return object;
 }
author	Linus Groh <mail@linusgroh.de>	2020-06-02 12:25:21 +0100
committer	Andreas Kling <kling@serenityos.org>	2020-06-02 13:51:02 +0200
commit	8cf1ded478a702d2a8235b16db413e04e0147dd1 (patch)
tree	152f5cd0eb22bce1e4b2a8f15a2b71cb1440eddd /Libraries/LibJS/Runtime/ObjectConstructor.cpp
parent	1a64bdd80c8a1c54f92842350c42814a24bd8e7a (diff)
download	serenity-8cf1ded478a702d2a8235b16db413e04e0147dd1.zip