src/value-serializer.cc - Issue 2697023002: ValueDeserializer: Only allow valid keys when deserializing object properties.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/value-serializer.cc

Issue 2697023002: ValueDeserializer: Only allow valid keys when deserializing object properties. (Closed)

Patch Set: Add a unit test for a simpler version of this case. Created 3 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/value-serializer.cc

diff --git a/src/value-serializer.cc b/src/value-serializer.cc

index f4bd4fd2094e745d46a3f8d27ba094a91c2e8594..df322702ed0c110d606b4b7ed43a95b85843f11a 100644

--- a/src/value-serializer.cc

+++ b/src/value-serializer.cc

@@ -1657,6 +1657,10 @@ static void CommitProperties(Handle<JSObject> object, Handle<Map> map,

}

+static bool IsValidObjectKey(Handle<Object> value) {

+ return value->IsName() || value->IsNumber();

Maybe<uint32_t> ValueDeserializer::ReadJSObjectProperties(

Handle<JSObject> object, SerializationTag end_tag,

bool can_use_transitions) {

@@ -1692,7 +1696,9 @@ Maybe<uint32_t> ValueDeserializer::ReadJSObjectProperties(

key = expected_key;

target = TransitionArray::ExpectedTransitionTarget(map);

} else {

- if (!ReadObject().ToHandle(&key)) return Nothing<uint32_t>();

+ if (!ReadObject().ToHandle(&key) || !IsValidObjectKey(key)) {

+ return Nothing<uint32_t>();

+ }

if (key->IsString()) {

key =

isolate_->factory()->InternalizeString(Handle<String>::cast(key));

@@ -1772,7 +1778,9 @@ Maybe<uint32_t> ValueDeserializer::ReadJSObjectProperties(

}

Handle<Object> key;

- if (!ReadObject().ToHandle(&key)) return Nothing<uint32_t>();

+ if (!ReadObject().ToHandle(&key) || !IsValidObjectKey(key)) {

+ return Nothing<uint32_t>();

+ }

Handle<Object> value;

if (!ReadObject().ToHandle(&value)) return Nothing<uint32_t>();

@@ -1821,6 +1829,7 @@ static Maybe<bool> SetPropertiesFromKeyValuePairs(Isolate* isolate,

uint32_t num_properties) {

for (unsigned i = 0; i < 2 * num_properties; i += 2) {

Handle<Object> key = data[i];

+ if (!IsValidObjectKey(key)) return Nothing<bool>();

Handle<Object> value = data[i + 1];

bool success;

LookupIterator it = LookupIterator::PropertyOrElement(

« no previous file with comments | « no previous file | test/unittests/value-serializer-unittest.cc » ('j') | no next file with comments »