[njs] Fixed njs_vmcode_property_init().

Dmitry Volyntsev xeioex at nginx.com
Mon Aug 12 13:13:07 UTC 2019 

details:   https://hg.nginx.org/njs/rev/e22663f2defe
branches:  
changeset: 1119:e22663f2defe
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Mon Aug 12 14:54:46 2019 +0300
description:
Fixed njs_vmcode_property_init().

Function assumed obj->__proto__ is never NULL, whereas it can become
NULL after __proto__: null assignment.

diffstat:

 src/njs_vmcode.c         |  23 +++++++++++++----------
 src/test/njs_unit_test.c |   6 ++++++
 2 files changed, 19 insertions(+), 10 deletions(-)

diffs (51 lines):

diff -r 239f3511397b -r e22663f2defe src/njs_vmcode.c
--- a/src/njs_vmcode.c	Thu Aug 08 14:19:56 2019 +0300
+++ b/src/njs_vmcode.c	Mon Aug 12 14:54:46 2019 +0300
@@ -1136,18 +1136,21 @@ njs_vmcode_property_init(njs_vm_t *vm, n
 
         obj = njs_object(value);
 
-        ret = njs_lvlhsh_find(&obj->__proto__->shared_hash, &lhq);
-        if (ret == NJS_OK) {
-            prop = lhq.value;
+        if (obj->__proto__ != NULL) {
+            /* obj->__proto__ can be NULL after __proto__: null assignment */
+            ret = njs_lvlhsh_find(&obj->__proto__->shared_hash, &lhq);
+            if (ret == NJS_OK) {
+                prop = lhq.value;
 
-            if (prop->type == NJS_PROPERTY_HANDLER) {
-                ret = prop->value.data.u.prop_handler(vm, value, init,
-                                                      &vm->retval);
-                if (njs_slow_path(ret != NJS_OK)) {
-                    return ret;
+                if (prop->type == NJS_PROPERTY_HANDLER) {
+                    ret = prop->value.data.u.prop_handler(vm, value, init,
+                                                          &vm->retval);
+                    if (njs_slow_path(ret != NJS_OK)) {
+                        return ret;
+                    }
+
+                    break;
                 }
-
-                break;
             }
         }
 
diff -r 239f3511397b -r e22663f2defe src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c	Thu Aug 08 14:19:56 2019 +0300
+++ b/src/test/njs_unit_test.c	Mon Aug 12 14:54:46 2019 +0300
@@ -8776,6 +8776,12 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("({}).__proto__ = null"),
       njs_str("null") },
 
+    { njs_str("({__proto__:null}).__proto__"),
+      njs_str("undefined") },
+
+    { njs_str("({__proto__:null, a:1}).a"),
+      njs_str("1") },
+
     { njs_str("({__proto__: []}) instanceof Array"),
       njs_str("true") },

More information about the nginx-devel mailing list