LibJS: Fix UB downcast during GlobalObject construction

When constructing a GlobalObject, it has to pass itself as the global object to its own Shape. Since this is done in the Object constructor, and Object is a base class of GlobalObject, it's not yet valid to cast "this" to a GlobalObject*. Fix this by having Shape store the global object as an Object& and move Shape::global_object() to GlobalObject.h where we can at least perform a valid static_cast in the getter. Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29267
2025-05-30 18:38:12 +00:00 · 2021-01-05 12:02:59 +01:00 · 2021-01-05 12:02:59 +01:00 · fdd974b7ef
commit fdd974b7ef
parent 279d2eee04
4 changed files with 10 additions and 5 deletions
--- a/Libraries/LibJS/Runtime/Object.cpp
+++ b/Libraries/LibJS/Runtime/Object.cpp
@ -90,7 +90,7 @@ Object* Object::create_empty(GlobalObject& global_object)
 Object::Object(GlobalObjectTag)
 {
    // This is the global object
-    m_shape = heap().allocate_without_global_object<Shape>(static_cast<GlobalObject&>(*this));
+    m_shape = heap().allocate_without_global_object<Shape>(*this);
 }

 Object::Object(ConstructWithoutPrototypeTag, GlobalObject& global_object)