Google Git
Sign in
webkit / WebKit / fa090c6dde060824ef444571f122628239938433^! / .
commitfa090c6dde060824ef444571f122628239938433[log] [tgz]
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue Oct 22 00:51:26 2019 +0000
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue Oct 22 00:51:26 2019 +0000
tree618ca78d9a2696c6ab425665e42bb4ccb45819ea
parentb1e2ac5eee1e44ced0536b8c51174a3500853c9b [diff]
Fix missing exception check in JSON Stringifier.
https://bugs.webkit.org/show_bug.cgi?id=203227
<rdar://problem/56459854>

Reviewed by Keith Miller.

JSTests:

* stress/missing-exception-check-in-josn-stringifier.js: Added.

Source/JavaScriptCore:

* runtime/JSONObject.cpp:
(JSC::Stringifier::Stringifier):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@251403 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
index 8aaafda..341d8e3 100644
--- a/JSTests/ChangeLog
+++ b/JSTests/ChangeLog

@@ -1,3 +1,13 @@
+2019-10-21  Mark Lam  <mark.lam@apple.com>
+
+        Fix missing exception check in JSON Stringifier.
+        https://bugs.webkit.org/show_bug.cgi?id=203227
+        <rdar://problem/56459854>
+
+        Reviewed by Keith Miller.
+
+        * stress/missing-exception-check-in-josn-stringifier.js: Added.
+
 2019-10-21  Saam Barati  <sbarati@apple.com>
 
         JSON.parse has bad is array assert

diff --git a/JSTests/stress/missing-exception-check-in-josn-stringifier.js b/JSTests/stress/missing-exception-check-in-josn-stringifier.js
new file mode 100644
index 0000000..8812f6b
--- /dev/null
+++ b/JSTests/stress/missing-exception-check-in-josn-stringifier.js

@@ -0,0 +1,8 @@
+//@ runDefault
+
+let p = new Proxy([], {
+    get: function() {
+        return {};
+    }
+});
+JSON.stringify(null, p);

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 50e1d6e..de47df1 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog

@@ -1,5 +1,16 @@
 2019-10-21  Mark Lam  <mark.lam@apple.com>
 
+        Fix missing exception check in JSON Stringifier.
+        https://bugs.webkit.org/show_bug.cgi?id=203227
+        <rdar://problem/56459854>
+
+        Reviewed by Keith Miller.
+
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::Stringifier):
+
+2019-10-21  Mark Lam  <mark.lam@apple.com>
+
         Rolling out r251226: Causes a build speed regression.
         https://bugs.webkit.org/show_bug.cgi?id=203219
 

diff --git a/Source/JavaScriptCore/runtime/JSONObject.cpp b/Source/JavaScriptCore/runtime/JSONObject.cpp
index dcb176e..b035a89 100644
--- a/Source/JavaScriptCore/runtime/JSONObject.cpp
+++ b/Source/JavaScriptCore/runtime/JSONObject.cpp

@@ -237,7 +237,9 @@
             RETURN_IF_EXCEPTION(scope, );
             if (isArrayReplacer) {
                 m_usingArrayReplacer = true;
-                unsigned length = replacerObject->get(exec, vm.propertyNames->length).toUInt32(exec);
+                JSValue lengthValue = replacerObject->get(exec, vm.propertyNames->length);
+                RETURN_IF_EXCEPTION(scope, );
+                unsigned length = lengthValue.toUInt32(exec);
                 RETURN_IF_EXCEPTION(scope, );
                 for (unsigned i = 0; i < length; ++i) {
                     JSValue name = replacerObject->get(exec, i);