Protect against scripts setting __proto__ to null. bug 317250, hopeful-r=brendan

2006-03-23 02:24:45 +00:00 · 2006-03-23 02:24:45 +00:00 · 004d9520d6
--- a/js/src/jsobj.c
+++ b/js/src/jsobj.c
@ -189,14 +189,16 @@ obj_setSlot(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
        return JS_TRUE;
    pobj = JSVAL_TO_OBJECT(*vp);

-    /*
-     * Innerize pobj here to avoid sticking unwanted properties on the outer
-     * object. This ensures that any with statements only grant access to the
-     * inner object.
-     */
-    OBJ_TO_INNER_OBJECT(cx, pobj);
-    if (!pobj)
-        return JS_FALSE;
+    if (pobj) {
+        /*
+         * Innerize pobj here to avoid sticking unwanted properties on the outer
+         * object. This ensures that any with statements only grant access to the
+         * inner object.
+         */
+        OBJ_TO_INNER_OBJECT(cx, pobj);
+        if (!pobj)
+            return JS_FALSE;
+    }
    slot = (uint32) JSVAL_TO_INT(id);
    if (JS_HAS_STRICT_OPTION(cx) && !ReportStrictSlot(cx, slot))
        return JS_FALSE;