From 7df3b951267bd77b2b72f04d697ea5148073e29d Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Fri, 5 Feb 2021 14:51:18 +0100
Subject: LibJS: GlobalObject must mark builtin prototypes

Failing to mark them leads to use-after-free since the GlobalObject
cached prototypes are used for new NumberObject, StringObject, etc.

Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30319
---
 Userland/Libraries/LibJS/Runtime/GlobalObject.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'Userland')

diff --git a/Userland/Libraries/LibJS/Runtime/GlobalObject.cpp b/Userland/Libraries/LibJS/Runtime/GlobalObject.cpp
index 37135f907c..0a17ac6186 100644
--- a/Userland/Libraries/LibJS/Runtime/GlobalObject.cpp
+++ b/Userland/Libraries/LibJS/Runtime/GlobalObject.cpp
@@ -167,8 +167,10 @@ void GlobalObject::visit_edges(Visitor& visitor)
     visitor.visit(m_proxy_constructor);
 
 #define __JS_ENUMERATE(ClassName, snake_name, PrototypeName, ConstructorName, ArrayType) \
-    visitor.visit(m_##snake_name##_constructor);
+    visitor.visit(m_##snake_name##_constructor);                                         \
+    visitor.visit(m_##snake_name##_prototype);
     JS_ENUMERATE_ERROR_SUBCLASSES
+    JS_ENUMERATE_BUILTIN_TYPES
 #undef __JS_ENUMERATE
 
 #define __JS_ENUMERATE(ClassName, snake_name) \
-- 
cgit v1.2.3