[JSC] Harden CustomGetterSetter by adding MethodTable overrides that …

…always crash https://bugs.webkit.org/show_bug.cgi?id=268897 <rdar://122171568> Reviewed by Mark Lam. Just like GetterSetter, CustomGetterSetter is never purposely exposed to userland code. However, to make exploitation of accidentally exposed CustomGetterSetter objects difficult, this patch implements MethodTable overrides that abort the program when reached, similar to GetterSetter. * Source/JavaScriptCore/runtime/CustomGetterSetter.h: (JSC::CustomGetterSetter::getOwnPropertySlot): (JSC::CustomGetterSetter::put): (JSC::CustomGetterSetter::putByIndex): (JSC::CustomGetterSetter::setPrototype): (JSC::CustomGetterSetter::defineOwnProperty): (JSC::CustomGetterSetter::deleteProperty): Canonical link: https://commits.webkit.org/272448.523@safari-7618-branch
WebKit · Feb 9, 2024 · 66d8614 · 66d8614
1 parent 5cdf58d
commit 66d8614
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/Source/JavaScriptCore/runtime/CustomGetterSetter.h b/Source/JavaScriptCore/runtime/CustomGetterSetter.h
@@ -35,7 +35,7 @@ namespace JSC {
 class CustomGetterSetter : public JSCell {
 public:
     using Base = JSCell;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesPut | StructureIsImmortal;
 
     using CustomGetter = GetValueFunc;
     using CustomSetter = PutValueFunc;
@@ -60,6 +60,13 @@ class CustomGetterSetter : public JSCell {
 
     DECLARE_EXPORT_INFO;
 
+    static bool getOwnPropertySlot(JSObject*, JSGlobalObject*, PropertyName, PropertySlot&) { RELEASE_ASSERT_NOT_REACHED(); return false; }
+    static bool put(JSCell*, JSGlobalObject*, PropertyName, JSValue, PutPropertySlot&) { RELEASE_ASSERT_NOT_REACHED(); return false; }
+    static bool putByIndex(JSCell*, JSGlobalObject*, unsigned, JSValue, bool) { RELEASE_ASSERT_NOT_REACHED(); return false; }
+    static bool setPrototype(JSObject*, JSGlobalObject*, JSValue, bool) { RELEASE_ASSERT_NOT_REACHED(); return false; }
+    static bool defineOwnProperty(JSObject*, JSGlobalObject*, PropertyName, const PropertyDescriptor&, bool) { RELEASE_ASSERT_NOT_REACHED(); return false; }
+    static bool deleteProperty(JSCell*, JSGlobalObject*, PropertyName, DeletePropertySlot&) { RELEASE_ASSERT_NOT_REACHED(); return false; }
+
 protected:
     CustomGetterSetter(VM& vm, Structure* structure, CustomGetter getter, CustomSetter setter)
         : JSCell(vm, structure)