Timothy Flynn 3efe611dbf LibJS: Do not assume that IsArray means the object type is an Array ...

IsArray returns true if the object is an Array *or* if it is a
ProxyObject whose target is an Array. Therefore, we cannot downcast to
an Array based on IsArray.

Luckily, we don't actually need an Array here; SerializeJSONArray only
needs an Object.

This was caught by UBSAN with vptr sanitation enabled.

2022-09-15 09:45:13 +02:00

17 KiB

Raw Blame History

View Raw