Perform access checks on the prototype chain when setting an element through a setter

BUG= Review URL: https://codereview.chromium.org/861773002 Cr-Commit-Position: refs/heads/master@{#26173}

Perform access checks on the prototype chain when setting an element through a setter
BUG= Review URL: https://codereview.chromium.org/861773002 Cr-Commit-Position: refs/heads/master@{#26173}
65c01bdc · verwaest · Commit bot · bc3b2960 · 65c01bdc
Commit 65c01bdc authored Jan 20, 2015 by verwaest Committed by Commit bot Jan 20, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 1 deletion

objects.cc src/objects.cc +12 -1

No files found.
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -2976,7 +2976,7 @@ MaybeHandle<Object> JSObject::SetElementWithCallbackSetterInPrototypes(
    Handle<Object> value,
    bool* found,
    StrictMode strict_mode) {
-  Isolate *isolate = object->GetIsolate();
+  Isolate* isolate = object->GetIsolate();
  for (PrototypeIterator iter(isolate, object); !iter.IsAtEnd();
       iter.Advance()) {
    if (PrototypeIterator::GetCurrent(iter)->IsJSProxy()) {
@@ -2987,9 +2987,20 @@ MaybeHandle<Object> JSObject::SetElementWithCallbackSetterInPrototypes(
    }
    Handle<JSObject> js_proto =
        Handle<JSObject>::cast(PrototypeIterator::GetCurrent(iter));
+
+    if (js_proto->IsAccessCheckNeeded()) {
+      if (!isolate->MayIndexedAccess(js_proto, index, v8::ACCESS_SET)) {
+        *found = true;
+        isolate->ReportFailedAccessCheck(js_proto, v8::ACCESS_SET);
+        RETURN_EXCEPTION_IF_SCHEDULED_EXCEPTION(isolate, Object);
+        return MaybeHandle<Object>();
+      }
+    }
+
    if (!js_proto->HasDictionaryElements()) {
      continue;
    }
+
    Handle<SeededNumberDictionary> dictionary(js_proto->element_dictionary());
    int entry = dictionary->FindEntry(index);
    if (entry != SeededNumberDictionary::kNotFound) {