Changeset 197862 in webkit for trunk/Source/JavaScriptCore/jsc.cpp

Timestamp:

Mar 9, 2016, 10:10:59 AM (9 years ago)

Author:

[email protected]

Message:

Harden JSC Root element functions from bad values
​https://bugs.webkit.org/show_bug.cgi?id=155234

Reviewed by Saam Barati.

Changed jsCast() to jsDynamicCast() in Root related function to protect against being
called with non-Root arguments.

• jsc.cpp:

(functionCreateElement):
(functionGetElement):
(functionSetElementRoot):

File:

• trunk/Source/JavaScriptCore/jsc.cpp (modified) (3 diffs)

trunk/Source/JavaScriptCore/jsc.cpp

@@ -1175 +1175 @@
 {
     JSLockHolder lock(exec);
-    JSValue arg = exec->argument(0);
-    return JSValue::encode(Element::create(exec->vm(), exec->lexicalGlobalObject(), arg.isNull() ? nullptr : jsCast<Root*>(exec->argument(0))));
+    Root* root = jsDynamicCast<Root*>(exec->argument(0));
+    if (!root)
+        return JSValue::encode(jsUndefined());
+    return JSValue::encode(Element::create(exec->vm(), exec->lexicalGlobalObject(), root));
 }
 
@@ -1182 +1184 @@
 {
     JSLockHolder lock(exec);
-    Element* result = jsCast<Root*>(exec->argument(0).asCell())->element();
+    Root* root = jsDynamicCast<Root*>(exec->argument(0));
+    if (!root)
+        return JSValue::encode(jsUndefined());
+    Element* result = root->element();
     return JSValue::encode(result ? result : jsUndefined());
 }
@@ -1189 +1194 @@
 {
     JSLockHolder lock(exec);
-    Element* element = jsCast<Element*>(exec->argument(0));
-    Root* root = jsCast<Root*>(exec->argument(1));
-    element->setRoot(exec->vm(), root);
+    Element* element = jsDynamicCast<Element*>(exec->argument(0));
+    Root* root = jsDynamicCast<Root*>(exec->argument(1));
+    if (element && root)
+        element->setRoot(exec->vm(), root);
     return JSValue::encode(jsUndefined());
 }