diff options
author | Kent Hansen <kent.hansen@nokia.com> | 2012-07-09 20:36:22 +0200 |
---|---|---|
committer | Qt by Nokia <qt-info@nokia.com> | 2012-07-12 02:07:51 +0200 |
commit | db17c14cace450e20745839014075c0263f8618f (patch) | |
tree | 920278e8344d4b22edc185b08d5f334a87ff6efe | |
parent | 2884c5c2fbbe6656f90aa3e1ea828ee67be18c18 (diff) | |
download | qtscript-db17c14cace450e20745839014075c0263f8618f.tar.gz |
Check that property descriptor members are valid before using them
Even if getPropertyDescriptor() returns true, it's not guaranteed
that PropertyDescriptor::setter() or PropertyDescriptor::value()
returns a valid JSC value.
This code is in an "#ifdef QT_BUILD_SCRIPT_LIB" block, i.e. a
patch we added on top of the original JSC sources.
The lack of checks caused the getter-in-prototype and
indexed-accessors tests from the V8 test suite to assert in
debug mode.
Task-number: QTBUG-17915
Change-Id: I568d83f2f80b28871ea0d934a8e33078ac8aa3ad
Reviewed-by: Olivier Goffart <ogoffart@woboq.com>
-rw-r--r-- | src/3rdparty/javascriptcore/JavaScriptCore/runtime/JSObject.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/runtime/JSObject.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/runtime/JSObject.cpp index 0e3475f..8706b8d 100644 --- a/src/3rdparty/javascriptcore/JavaScriptCore/runtime/JSObject.cpp +++ b/src/3rdparty/javascriptcore/JavaScriptCore/runtime/JSObject.cpp @@ -138,8 +138,8 @@ void JSObject::put(ExecState* exec, const Identifier& propertyName, JSValue valu PropertyDescriptor descriptor; if (obj->getPropertyDescriptor(exec, propertyName, descriptor)) { JSObject* setterFunc; - if ((descriptor.isAccessorDescriptor() && ((setterFunc = asObject(descriptor.setter())), true)) - || (descriptor.value().isGetterSetter() && ((setterFunc = asGetterSetter(descriptor.value())->setter()), true))) { + if ((descriptor.isAccessorDescriptor() && !!descriptor.setter() && ((setterFunc = asObject(descriptor.setter())), true)) + || (!!descriptor.value() && descriptor.value().isGetterSetter() && ((setterFunc = asGetterSetter(descriptor.value())->setter()), true))) { #else if (JSValue gs = obj->getDirect(propertyName)) { if (gs.isGetterSetter()) { |