Cherry-pick 272448.254@safari-7618-branch (5173338). https://bugs.web…

…kit.org/show_bug.cgi?id=267725 [JSC] Use dynamic cast in intlCollatorFuncCompare, intlDateTimeFormatFuncFormatDateTime, and intlNumberFormatFuncFormat https://bugs.webkit.org/show_bug.cgi?id=267725 rdar://121029647 Reviewed by Yusuke Suzuki and Mark Lam. We should ensure `thisValue` is the desired object. So, should use dynamic cast instead in intlCollatorFuncCompare, intlDateTimeFormatFuncFormatDateTime, and intlNumberFormatFuncFormat. * Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): * Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): * Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): Canonical link: https://commits.webkit.org/272448.254@safari-7618-branch Canonical link: https://commits.webkit.org/274313.70@webkitglib/2.44
WebKit · Mar 11, 2024 · b1e5902 · b1e5902
1 parent bb20f3e
commit b1e5902
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 3 deletions.
diff --git a/JSTests/stress/intl-collator.js b/JSTests/stress/intl-collator.js
@@ -411,3 +411,12 @@ shouldThrow(() => Intl.Collator.prototype.resolvedOptions.call(5), TypeError);
 }
 
 shouldBe(new Intl.Collator('de-u-kn-false-kf-upper-co-phonebk-hc-h12').resolvedOptions().locale, 'de-u-co-phonebk-kf-upper-kn-false');
+
+shouldThrow(() => {
+    Function.prototype.__defineGetter__('prototype', function () {
+        this.call(0x1234);
+    });
+
+    const collator = new Intl.Collator();
+    1 instanceof collator.compare;
+}, TypeError);
diff --git a/JSTests/stress/intl-datetimeformat.js b/JSTests/stress/intl-datetimeformat.js
@@ -764,3 +764,12 @@ shouldBe(JSON.stringify(Intl.DateTimeFormat('zh', { era: 'short', year: 'numeric
     const year = parts.find(part => part.type === 'year')
     shouldBe(year.value, "2021")
 }
+
+shouldThrow(() => {
+    Function.prototype.__defineGetter__('prototype', function () {
+        this.call(0x1234);
+    });
+
+    const dateTimeFormat = new Intl.DateTimeFormat();
+    1 instanceof dateTimeFormat.format;
+}, TypeError)
diff --git a/JSTests/stress/intl-numberformat.js b/JSTests/stress/intl-numberformat.js
@@ -523,3 +523,12 @@ shouldThrow(() => {
         minimumFractionDigits: 100
     });
 }, RangeError);
+
+shouldThrow(() => {
+    Function.prototype.__defineGetter__('prototype', function () {
+        this.call(0x1234);
+    });
+
+    const numberFormat = new Intl.NumberFormat();
+    1 instanceof numberFormat.format;
+}, TypeError)
diff --git a/Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp b/Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp
@@ -83,7 +83,9 @@ JSC_DEFINE_HOST_FUNCTION(intlCollatorFuncCompare, (JSGlobalObject* globalObject,
     // 10.3.4 Collator Compare Functions (ECMA-402 2.0)
     // 1. Let collator be the this value.
     // 2. Assert: Type(collator) is Object and collator has an [[initializedCollator]] internal slot whose value is true.
-    IntlCollator* collator = jsCast<IntlCollator*>(callFrame->thisValue());
+    IntlCollator* collator = jsDynamicCast<IntlCollator*>(callFrame->thisValue());
+    if (UNLIKELY(!collator))
+        return JSValue::encode(throwTypeError(globalObject, scope, "Intl.Collator.prototype.compare called on value that's not a Collator"_s));
 
     // 3. If x is not provided, let x be undefined.
     // 4. If y is not provided, let y be undefined.

diff --git a/Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp b/Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp
@@ -119,7 +119,9 @@ JSC_DEFINE_HOST_FUNCTION(intlDateTimeFormatFuncFormatDateTime, (JSGlobalObject*
     // 12.1.7 DateTime Format Functions (ECMA-402)
     // https://tc39.github.io/ecma402/#sec-formatdatetime
 
-    IntlDateTimeFormat* format = jsCast<IntlDateTimeFormat*>(callFrame->thisValue());
+    IntlDateTimeFormat* format = jsDynamicCast<IntlDateTimeFormat*>(callFrame->thisValue());
+    if (UNLIKELY(!format))
+        return JSValue::encode(throwTypeError(globalObject, scope, "Intl.DateTimeFormat.prototype.format called on value that's not a DateTimeFormat"_s));
 
     JSValue date = callFrame->argument(0);
     double value = IntlDateTimeFormat::handleDateTimeValue(globalObject, date);

diff --git a/Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp b/Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp
@@ -99,7 +99,9 @@ JSC_DEFINE_HOST_FUNCTION(intlNumberFormatFuncFormat, (JSGlobalObject* globalObje
 {
     VM& vm = globalObject->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
-    auto* numberFormat = jsCast<IntlNumberFormat*>(callFrame->thisValue());
+    auto* numberFormat = jsDynamicCast<IntlNumberFormat*>(callFrame->thisValue());
+    if (UNLIKELY(!numberFormat))
+        return JSValue::encode(throwTypeError(globalObject, scope, "Intl.NumberFormat.prototype.format called on value that's not a NumberFormat"_s));
 
     auto value = toIntlMathematicalValue(globalObject, callFrame->argument(0));
     RETURN_IF_EXCEPTION(scope, { });