Changeset 21332 in webkit for trunk/JavaScriptCore/kjs/object.cpp

Timestamp:

May 9, 2007, 3:36:25 AM (18 years ago)

Author:

eseidel

Message:

2007-05-09 Eric Seidel <​[email protected]>

Reviewed by mjs.

​http://bugs.webkit.org/show_bug.cgi?id=6985
Cyclic proto values cause WebKit to hang

• kjs/object.cpp: (KJS::JSObject::put): do a cycle check before setting proto

File:

• trunk/JavaScriptCore/kjs/object.cpp (modified) (2 diffs)

trunk/JavaScriptCore/kjs/object.cpp

@@ -5 +5 @@
  *  Copyright (C) 2001 Peter Kelly ([email protected])
  *  Copyright (C) 2003, 2004, 2005, 2006 Apple Computer, Inc.
+ *  Copyright (C) 2007 Eric Seidel ([email protected])
  *
  *  This library is free software; you can redistribute it and/or
@@ -212 +213 @@
   // non-standard netscape extension
   if (propertyName == exec->propertyNames().underscoreProto) {
+    JSObject* proto = value->getObject();
+    while (proto) {
+      if (proto == this)
+        throwError(exec, GeneralError, "cyclic __proto__ value");
+      proto = proto->prototype() ? proto->prototype()->getObject() : 0;
+    }
+    
     setPrototype(value);
     return;