Changeset 251403 in webkit

Timestamp:

Oct 21, 2019 5:51:26 PM (4 years ago)

Author:

mark.lam@apple.com

Message:

Fix missing exception check in JSON Stringifier.
​https://bugs.webkit.org/show_bug.cgi?id=203227
<rdar://problem/56459854>

Reviewed by Keith Miller.

JSTests:

• stress/missing-exception-check-in-josn-stringifier.js: Added.

Source/JavaScriptCore:

• runtime/JSONObject.cpp:

(JSC::Stringifier::Stringifier):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/missing-exception-check-in-josn-stringifier.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSONObject.cpp (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-10-21  Mark Lam  <mark.lam@apple.com>
+
+        Fix missing exception check in JSON Stringifier.
+        https://bugs.webkit.org/show_bug.cgi?id=203227
+        <rdar://problem/56459854>
+
+        Reviewed by Keith Miller.
+
+        * stress/missing-exception-check-in-josn-stringifier.js: Added.
+
 2019-10-21  Saam Barati  <sbarati@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-10-21  Mark Lam  <mark.lam@apple.com>
+
+        Fix missing exception check in JSON Stringifier.
+        https://bugs.webkit.org/show_bug.cgi?id=203227
+        <rdar://problem/56459854>
+
+        Reviewed by Keith Miller.
+
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::Stringifier):
+
 2019-10-21  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSONObject.cpp

@@ -238 +238 @@
             if (isArrayReplacer) {
                 m_usingArrayReplacer = true;
-                unsigned length = replacerObject->get(exec, vm.propertyNames->length).toUInt32(exec);
+                JSValue lengthValue = replacerObject->get(exec, vm.propertyNames->length);
+                RETURN_IF_EXCEPTION(scope, );
+                unsigned length = lengthValue.toUInt32(exec);
                 RETURN_IF_EXCEPTION(scope, );
                 for (unsigned i = 0; i < length; ++i) {