[Webkit-unassigned] [Bug 6322] New: Date object prototype functions improperly access internalValue (Crash)

Sun Jan 1 09:13:40 PST 2006

http://bugzilla.opendarwin.org/show_bug.cgi?id=6322

           Summary: Date object prototype functions improperly access
                    internalValue (Crash)
           Product: WebKit
           Version: 412+
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: JavaScript
        AssignedTo: webkit-unassigned at opendarwin.org
        ReportedBy: maksim at kde.org

DateProtoFuncImp::callAsFunction will call internalValue->toNumber on most 
inputs, w/o checking the type. This can a) crash (see below) b) seems wrong 
since I do not see it in the spec that most methods of Date.prototype should 
be generic. 

Sample testcase: 
Math.__proto__.crash = Date.prototype.getDate; 
Math.crash(); 

(spotted when trying to push internalValue further down into hierarchy)

-- 
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.