Commit 04bbde04 authored by oliver@apple.com's avatar oliver@apple.com

Harden executeConstruct against incorrect return types from host functions

https://bugs.webkit.org/show_bug.cgi?id=119757

Reviewed by Mark Hahnenberg.

Add logic to guard against bogus return types.  There doesn't seem to be any
class in webkit that does this wrong, but the typed array stubs in debug JSC
do exhibit this bad behaviour.

* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeConstruct):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154011 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 88555b5c
2013-08-13 Oliver Hunt <oliver@apple.com>
Harden executeConstruct against incorrect return types from host functions
https://bugs.webkit.org/show_bug.cgi?id=119757
Reviewed by Mark Hahnenberg.
Add logic to guard against bogus return types. There doesn't seem to be any
class in webkit that does this wrong, but the typed array stubs in debug JSC
do exhibit this bad behaviour.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeConstruct):
2013-08-13 Allan Sandfeld Jensen <allan.jensen@digia.com>
[Qt] Fix C++11 build with gcc 4.4 and 4.5
......
......@@ -1004,8 +1004,14 @@ JSObject* Interpreter::executeConstruct(CallFrame* callFrame, JSObject* construc
#elif ENABLE(JIT)
result = constructData.js.functionExecutable->generatedJITCodeForConstruct()->execute(&m_stack, newCallFrame, &vm);
#endif // ENABLE(JIT)
} else
} else {
result = JSValue::decode(constructData.native.function(newCallFrame));
if (!callFrame->hadException()) {
ASSERT_WITH_MESSAGE(result.isObject(), "Host constructor returned non object.");
if (!result.isObject())
throwTypeError(newCallFrame);
}
}
}
if (LegacyProfiler* profiler = vm.enabledProfiler())
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment