LibJS: Don't change offset when reconfiguring property in unique shape

When changing the attributes of an existing property of an object with unique shape we must not change the PropertyMetadata offset. Doing so without resizing the underlying storage vector caused an OOB write crash. Fixes #3735.
author: Linus Groh <mail@linusgroh.de> 2020-10-10 14:42:23 +0100
committer: Andreas Kling <kling@serenityos.org> 2020-10-10 23:25:00 +0200
commit: a5bf6cfff98a52ecceaace5dd8ccc8fd7e79ac90 (patch)
tree: d0472a29a24460a0fddb07428e73158937742801 /Libraries/LibJS/Runtime
parent: fcd263f17ba73e44fdda6800cd2f7a3a8ee03f54 (diff)
download: serenity-a5bf6cfff98a52ecceaace5dd8ccc8fd7e79ac90.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/Libraries/LibJS/Runtime/Shape.cpp b/Libraries/LibJS/Runtime/Shape.cpp
index 741e00e322..4fd26ed631 100644
--- a/Libraries/LibJS/Runtime/Shape.cpp
+++ b/Libraries/LibJS/Runtime/Shape.cpp
@@ -195,8 +195,10 @@ void Shape::reconfigure_property_in_unique_shape(const StringOrSymbol& property_
 {
     ASSERT(is_unique());
     ASSERT(m_property_table);
-    ASSERT(m_property_table->contains(property_name));
-    m_property_table->set(property_name, { m_property_table->size(), attributes });
+    auto it = m_property_table->find(property_name);
+    ASSERT(it != m_property_table->end());
+    it->value.attributes = attributes;
+    m_property_table->set(property_name, it->value);
 }
 
 void Shape::remove_property_from_unique_shape(const StringOrSymbol& property_name, size_t offset)
author	Linus Groh <mail@linusgroh.de>	2020-10-10 14:42:23 +0100
committer	Andreas Kling <kling@serenityos.org>	2020-10-10 23:25:00 +0200
commit	a5bf6cfff98a52ecceaace5dd8ccc8fd7e79ac90 (patch)
tree	d0472a29a24460a0fddb07428e73158937742801 /Libraries/LibJS/Runtime
parent	fcd263f17ba73e44fdda6800cd2f7a3a8ee03f54 (diff)
download	serenity-a5bf6cfff98a52ecceaace5dd8ccc8fd7e79ac90.zip