RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 14:48:14 +00:00
Code Issues Activity Actions

LibJS: Don't change offset when reconfiguring property in unique shape

Browse source 
When changing the attributes of an existing property of an object with
unique shape we must not change the PropertyMetadata offset.
Doing so without resizing the underlying storage vector caused an OOB
write crash.

Fixes #3735.
This commit is contained in:
Linus Groh 2020-10-10 14:42:23 +01:00 committed by Andreas Kling
parent fcd263f17b
commit a5bf6cfff9
2 changed files with 14 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Libraries/LibJS/Runtime/Shape.cpp
View file

@ -195,8 +195,10 @@ void Shape::reconfigure_property_in_unique_shape(const StringOrSymbol& property_
{
ASSERT(is_unique());
ASSERT(m_property_table);
ASSERT(m_property_table->contains(property_name));
m_property_table->set(property_name, { m_property_table->size(), attributes });
auto it = m_property_table->find(property_name);
ASSERT(it != m_property_table->end());
it->value.attributes = attributes;
m_property_table->set(property_name, it->value);
}
void Shape::remove_property_from_unique_shape(const StringOrSymbol& property_name, size_t offset)