LibJS: Fix UB downcast during GlobalObject construction

When constructing a GlobalObject, it has to pass itself as the global object to its own Shape. Since this is done in the Object constructor, and Object is a base class of GlobalObject, it's not yet valid to cast "this" to a GlobalObject*. Fix this by having Shape store the global object as an Object& and move Shape::global_object() to GlobalObject.h where we can at least perform a valid static_cast in the getter. Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29267
2026-01-03 07:07:23 +00:00 · 2021-01-05 12:02:59 +01:00
parent 279d2eee04
commit fdd974b7ef
4 changed files with 10 additions and 5 deletions
--- a/Libraries/LibJS/Runtime/Shape.cpp
+++ b/Libraries/LibJS/Runtime/Shape.cpp
@@ -72,7 +72,7 @@ Shape::Shape(ShapeWithoutGlobalObjectTag)
 {
 }

-Shape::Shape(GlobalObject& global_object)
+Shape::Shape(Object& global_object)
    : m_global_object(&global_object)
 {
 }