LibJS: Let RegExp.string get RegExp.prototype from the global object directly

We can't assume that RegExp on the global object is still the original constructor, or an object at all. This makes '--RegExp<</<</</,/</x/' work. :^) Found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29740
2025-07-26 15:37:47 +00:00 · 2021-01-29 20:22:18 +01:00 · 2021-01-29 20:22:18 +01:00 · f9b1a9e60c
commit f9b1a9e60c
parent d0c5979d96
1 changed files with 2 additions and 3 deletions
--- a/Userland/Libraries/LibJS/Runtime/RegExpPrototype.cpp
+++ b/Userland/Libraries/LibJS/Runtime/RegExpPrototype.cpp
@ -137,9 +137,8 @@ JS_DEFINE_NATIVE_GETTER(RegExpPrototype::source)
    if (!this_object)
        return {};

-    // FIXME: This is obnoxious - we should have an easier way of looking up %RegExp.prototype%.
-    auto& regexp_prototype = global_object.get(vm.names.RegExp).as_object().get(vm.names.prototype).as_object();
-    if (this_object == &regexp_prototype)
+    auto* regexp_prototype = global_object.regexp_prototype();
+    if (this_object == regexp_prototype)
        return js_string(vm, "(?:)");

    auto regexp_object = regexp_object_from(vm, global_object);