From: Dmitry Volyntsev Date: Mon, 12 Aug 2019 11:54:46 +0000 (+0300) Subject: Fixed njs_vmcode_property_init(). X-Git-Url: http://git.kaiwu.me/sitemap.xml?a=commitdiff_plain;h=391424ddd546e4efd1cf76aff09946c0fc0ba6a6;p=njs.git Fixed njs_vmcode_property_init(). Function assumed obj->__proto__ is never NULL, whereas it can become NULL after __proto__: null assignment. --- diff --git a/src/njs_vmcode.c b/src/njs_vmcode.c index a5f16d85..fc07ebf2 100644 --- a/src/njs_vmcode.c +++ b/src/njs_vmcode.c @@ -1136,18 +1136,21 @@ njs_vmcode_property_init(njs_vm_t *vm, njs_value_t *value, njs_value_t *key, obj = njs_object(value); - ret = njs_lvlhsh_find(&obj->__proto__->shared_hash, &lhq); - if (ret == NJS_OK) { - prop = lhq.value; + if (obj->__proto__ != NULL) { + /* obj->__proto__ can be NULL after __proto__: null assignment */ + ret = njs_lvlhsh_find(&obj->__proto__->shared_hash, &lhq); + if (ret == NJS_OK) { + prop = lhq.value; - if (prop->type == NJS_PROPERTY_HANDLER) { - ret = prop->value.data.u.prop_handler(vm, value, init, - &vm->retval); - if (njs_slow_path(ret != NJS_OK)) { - return ret; - } + if (prop->type == NJS_PROPERTY_HANDLER) { + ret = prop->value.data.u.prop_handler(vm, value, init, + &vm->retval); + if (njs_slow_path(ret != NJS_OK)) { + return ret; + } - break; + break; + } } } diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c index f29a8b0e..2eb02ead 100644 --- a/src/test/njs_unit_test.c +++ b/src/test/njs_unit_test.c @@ -8776,6 +8776,12 @@ static njs_unit_test_t njs_test[] = { njs_str("({}).__proto__ = null"), njs_str("null") }, + { njs_str("({__proto__:null}).__proto__"), + njs_str("undefined") }, + + { njs_str("({__proto__:null, a:1}).a"), + njs_str("1") }, + { njs_str("({__proto__: []}) instanceof Array"), njs_str("true") },