From: ulan@chromium.org <ulan@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Wed, 23 Apr 2014 12:28:50 +0000 (+0000)
Subject: Harden DefineOrRedefineDataProperty.
X-Git-Tag: upstream/4.7.83~9483
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f3488658948f360881479fa1da5e643d6719c71d;p=platform%2Fupstream%2Fv8.git

Harden DefineOrRedefineDataProperty.

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/240973002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20908 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---

diff --git a/src/runtime.cc b/src/runtime.cc
index c508b4a..b98ba40 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -5193,6 +5193,7 @@ RUNTIME_FUNCTION(Runtime_DefineOrRedefineAccessorProperty) {
   PropertyAttributes attr = static_cast<PropertyAttributes>(unchecked);
 
   bool fast = obj->HasFastProperties();
+  // DefineAccessor checks access rights.
   JSObject::DefineAccessor(obj, name, getter, setter, attr);
   RETURN_FAILURE_IF_SCHEDULED_EXCEPTION(isolate);
   if (fast) JSObject::TransformToFastProperties(obj, 0);
@@ -5216,6 +5217,12 @@ RUNTIME_FUNCTION(Runtime_DefineOrRedefineDataProperty) {
   RUNTIME_ASSERT((unchecked & ~(READ_ONLY | DONT_ENUM | DONT_DELETE)) == 0);
   PropertyAttributes attr = static_cast<PropertyAttributes>(unchecked);
 
+  // Check access rights if needed.
+  if (js_object->IsAccessCheckNeeded() &&
+      !isolate->MayNamedAccess(js_object, name, v8::ACCESS_SET)) {
+    return isolate->heap()->undefined_value();
+  }
+
   LookupResult lookup(isolate);
   js_object->LocalLookupRealNamedProperty(*name, &lookup);