Harden JSObject::getOwnPropertyDescriptor()
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 15 Dec 2016 20:55:18 +0000 (20:55 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 15 Dec 2016 20:55:18 +0000 (20:55 +0000)
https://bugs.webkit.org/show_bug.cgi?id=165908

Reviewed by Geoffrey Garen.

* runtime/JSObject.cpp:
(JSC::JSObject::getOwnPropertyDescriptor):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@209869 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSObject.cpp

index f438eaf..10fcfdd 100644 (file)
@@ -1,3 +1,13 @@
+2016-12-15  Chris Dumez  <cdumez@apple.com>
+
+        Harden JSObject::getOwnPropertyDescriptor()
+        https://bugs.webkit.org/show_bug.cgi?id=165908
+
+        Reviewed by Geoffrey Garen.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::getOwnPropertyDescriptor):
+
 2016-12-15  Keith Miller  <keith_miller@apple.com>
 
         Fix 64-bit shift family Wasm opcodes
index 92b8ec1..8742e8f 100644 (file)
@@ -3217,8 +3217,12 @@ bool JSObject::getOwnPropertyDescriptor(ExecState* exec, PropertyName propertyNa
             }
 
             ASSERT(maybeGetterSetter);
-            getterSetter = jsCast<CustomGetterSetter*>(maybeGetterSetter);
+            getterSetter = jsDynamicCast<CustomGetterSetter*>(maybeGetterSetter);
         }
+        ASSERT(getterSetter);
+        if (!getterSetter)
+            return false;
+
         if (getterSetter->getter())
             descriptor.setGetter(getCustomGetterSetterFunctionForGetterSetter(exec, propertyName, getterSetter, JSCustomGetterSetterFunction::Type::Getter));
         if (getterSetter->setter())