LibJS: GlobalObject must mark builtin prototypes

Failing to mark them leads to use-after-free since the GlobalObject cached prototypes are used for new NumberObject, StringObject, etc. Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30319
2025-01-24 02:12:09 -05:00 · 2021-02-05 14:51:18 +01:00 · 2021-02-05 14:51:18 +01:00 · 7df3b95126
commit 7df3b95126
parent 0269578d3e
1 changed files with 3 additions and 1 deletions
--- a/Userland/Libraries/LibJS/Runtime/GlobalObject.cpp
+++ b/Userland/Libraries/LibJS/Runtime/GlobalObject.cpp
@ -167,8 +167,10 @@ void GlobalObject::visit_edges(Visitor& visitor)
    visitor.visit(m_proxy_constructor);

 #define __JS_ENUMERATE(ClassName, snake_name, PrototypeName, ConstructorName, ArrayType) \
-    visitor.visit(m_##snake_name##_constructor);
+    visitor.visit(m_##snake_name##_constructor);                                         \
+    visitor.visit(m_##snake_name##_prototype);
    JS_ENUMERATE_ERROR_SUBCLASSES
+    JS_ENUMERATE_BUILTIN_TYPES
 #undef __JS_ENUMERATE

 #define __JS_ENUMERATE(ClassName, snake_name) \