ladybird/Object.defineProperty.js at 1993ccb4565c3fd8a0103046b19dfbeddfcb1589

mirror of https://github.com/fergalmoran/ladybird.git synced 2025-12-23 09:48:45 +00:00

Files

Linus Groh a5bf6cfff9 LibJS: Don't change offset when reconfiguring property in unique shape

When changing the attributes of an existing property of an object with
unique shape we must not change the PropertyMetadata offset.
Doing so without resizing the underlying storage vector caused an OOB
write crash.

Fixes #3735.

2020-10-10 23:25:00 +02:00

7.1 KiB

Raw Blame History

View Raw

7.1 KiB Raw Blame History

7.1 KiB

Raw Blame History