From 65c01bdc64c85154a1c570c8f21a7fe24b3d9fee Mon Sep 17 00:00:00 2001
From: verwaest <verwaest@chromium.org>
Date: Tue, 20 Jan 2015 08:50:48 -0800
Subject: [PATCH] Perform access checks on the prototype chain when setting an
 element through a setter

BUG=

Review URL: https://codereview.chromium.org/861773002

Cr-Commit-Position: refs/heads/master@{#26173}
---
 src/objects.cc | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/objects.cc b/src/objects.cc
index 2623836..7a3057a 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -2976,7 +2976,7 @@ MaybeHandle<Object> JSObject::SetElementWithCallbackSetterInPrototypes(
     Handle<Object> value,
     bool* found,
     StrictMode strict_mode) {
-  Isolate *isolate = object->GetIsolate();
+  Isolate* isolate = object->GetIsolate();
   for (PrototypeIterator iter(isolate, object); !iter.IsAtEnd();
        iter.Advance()) {
     if (PrototypeIterator::GetCurrent(iter)->IsJSProxy()) {
@@ -2987,9 +2987,20 @@ MaybeHandle<Object> JSObject::SetElementWithCallbackSetterInPrototypes(
     }
     Handle<JSObject> js_proto =
         Handle<JSObject>::cast(PrototypeIterator::GetCurrent(iter));
+
+    if (js_proto->IsAccessCheckNeeded()) {
+      if (!isolate->MayIndexedAccess(js_proto, index, v8::ACCESS_SET)) {
+        *found = true;
+        isolate->ReportFailedAccessCheck(js_proto, v8::ACCESS_SET);
+        RETURN_EXCEPTION_IF_SCHEDULED_EXCEPTION(isolate, Object);
+        return MaybeHandle<Object>();
+      }
+    }
+
     if (!js_proto->HasDictionaryElements()) {
       continue;
     }
+
     Handle<SeededNumberDictionary> dictionary(js_proto->element_dictionary());
     int entry = dictionary->FindEntry(index);
     if (entry != SeededNumberDictionary::kNotFound) {
-- 
2.7.4