RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-06-01 07:48:12 +00:00
Code Issues Activity Actions

LibJS: Do not assume that IsArray means the object type is an Array

Browse source 
IsArray returns true if the object is an Array *or* if it is a
ProxyObject whose target is an Array. Therefore, we cannot downcast to
an Array based on IsArray.

Luckily, we don't actually need an Array here; SerializeJSONArray only
needs an Object.

This was caught by UBSAN with vptr sanitation enabled.
This commit is contained in:
Timothy Flynn 2022-09-14 16:11:35 -04:00 committed by Andreas Kling
parent 98a6f962a0
commit 3efe611dbf
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Userland/Libraries/LibJS/Runtime/JSONObject.cpp
View file

@ -207,7 +207,7 @@ ThrowCompletionOr<String> JSONObject::serialize_json_property(VM& vm, StringifyS
// b. If isArray is true, return ? SerializeJSONArray(state, value).
if (is_array)
return serialize_json_array(vm, state, static_cast<Array&>(value.as_object()));
return serialize_json_array(vm, state, value.as_object());
// c. Return ? SerializeJSONObject(state, value).
return serialize_json_object(vm, state, value.as_object());