fergalmoran/ladybird
1
0
Fork 0
mirror of https://github.com/fergalmoran/ladybird.git synced 2026-01-02 22:55:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

LibJS: Do not assume that IsArray means the object type is an Array

Browse Source 
IsArray returns true if the object is an Array *or* if it is a
ProxyObject whose target is an Array. Therefore, we cannot downcast to
an Array based on IsArray.

Luckily, we don't actually need an Array here; SerializeJSONArray only
needs an Object.

This was caught by UBSAN with vptr sanitation enabled.
This commit is contained in:
Timothy Flynn
2022-09-14 16:11:35 -04:00
committed by Andreas Kling
parent 98a6f962a0
commit 3efe611dbf
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Userland/Libraries/LibJS/Runtime/JSONObject.cpp
View File

@@ -207,7 +207,7 @@ ThrowCompletionOr<String> JSONObject::serialize_json_property(VM& vm, StringifyS
// b. If isArray is true, return ? SerializeJSONArray(state, value).
if (is_array)
return serialize_json_array(vm, state, static_cast<Array&>(value.as_object()));
return serialize_json_array(vm, state, value.as_object());
// c. Return ? SerializeJSONObject(state, value).
return serialize_json_object(vm, state, value.as_object());