You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bug 706057: Fix use-after-free in getOwnPropertyDescriptor.
getOwnPropertyDescriptor should create the descriptor object by
using [[DefineOwnProperty]], and not by looking through the prototype
chain where it may invoke getters and setters on the Object.prototype.
If there exists an Object.prototype.get property with a setter, that method is
invoked when it shouldn't. A malicious getter here can delete the property
currently being processed in getOwnPropertyDescriptor, and we'll end up
with a use-after-free bug.
Avoid this problem by following the spec and use js_defproperty rather than
js_setproperty to define own properties in getOwnPropertyDescriptor and
related functions.
0 commit comments