Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Bug 706057: Fix use-after-free in getOwnPropertyDescriptor.
getOwnPropertyDescriptor should create the descriptor object by using [[DefineOwnProperty]], and not by looking through the prototype chain where it may invoke getters and setters on the Object.prototype. If there exists an Object.prototype.get property with a setter, that method is invoked when it shouldn't. A malicious getter here can delete the property currently being processed in getOwnPropertyDescriptor, and we'll end up with a use-after-free bug. Avoid this problem by following the spec and use js_defproperty rather than js_setproperty to define own properties in getOwnPropertyDescriptor and related functions.
- Loading branch information