shithub: libmujs

Download patch

ref: 78e56b78544106b4639189b4e967d77305ebc183
parent: eed8a67a496bedd388858b45dab2b7210bdedd6e
author: Tor Andersson <[email protected]>
date: Mon Dec 6 10:54:04 EST 2021

Bug 704748: Save original object in stack slot for returning after constructor.

The object in the 'this' slot may be overwritten if the constructor converts
it to a primitive value. Save the original object in an explicit stack slot
to keep it safe for returning afterwards.

--- a/jsrun.c
+++ b/jsrun.c
@@ -1195,6 +1195,10 @@
 	if (n > 0)
 		js_rot(J, n + 1);
 
+	/* and save a copy to return */
+	js_pushobject(J, newobj);
+	js_rot(J, n + 3);
+
 	/* call the function */
 	js_call(J, n);
 
@@ -1201,7 +1205,8 @@
 	/* if result is not an object, return the original object we created */
 	if (!js_isobject(J, -1)) {
 		js_pop(J, 1);
-		js_pushobject(J, newobj);
+	} else {
+		js_rot2pop1(J);
 	}
 }