Bug 6322

Summary: DateProtoFuncImp::callAsFunction can crash due to lack of type checking
Product: WebKit Reporter: Maks Orlovich <maksim>
Component: JavaScriptCoreAssignee: Geoffrey Garen <ggaren>
Status: RESOLVED FIXED    
Severity: Major CC: alice.barraclough
Priority: P1 Keywords: InRadar
Version: 420+   
Hardware: Other   
OS: Linux   
Attachments:
Description Flags
reduction
none
Fix darin: review+

Maks Orlovich
Reported 2006-01-01 09:13:40 PST
DateProtoFuncImp::callAsFunction will call internalValue->toNumber on most inputs, w/o checking the type. This can a) crash (see below) b) seems wrong since I do not see it in the spec that most methods of Date.prototype should be generic. Sample testcase: Math.__proto__.crash = Date.prototype.getDate; Math.crash(); (spotted when trying to push internalValue further down into hierarchy)
Attachments
reduction (626 bytes, text/html)
2006-01-13 17:19 PST, Geoffrey Garen 		no flags
Details
Fix (4.19 KB, patch)
2006-01-13 17:51 PST, Geoffrey Garen 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alice Liu
Comment 1 2006-01-11 17:06:53 PST
<rdar://problem/4406070>
Geoffrey Garen
Comment 2 2006-01-13 17:19:13 PST
Created attachment 5650 [details] reduction Attached reduction.
Geoffrey Garen
Comment 3 2006-01-13 17:26:37 PST
15.9.5 Properties of the Date Prototype Object None of these functions are generic; a TypeError exception is thrown if the this value is not an object for which the value of the internal [[Class]] property is "Date".
Geoffrey Garen
Comment 4 2006-01-13 17:51:50 PST
Created attachment 5651 [details] Fix Three cheers for the delete key. 0 regressions found. 0 tests fixed.
Darin Adler
Comment 5 2006-01-13 22:52:08 PST
Comment on attachment 5651 [details] Fix Would be nice to test all the methods instead of just getDate. r=me
Geoffrey Garen
Comment 6 2006-01-16 18:19:14 PST
Landed with tests for all methods but valueOf, which seems to confuse our test engine. Will file new bug about that.
Note You need to log in before you can comment on or make changes to this bug.