[Backport] CVE-2022-1096

[runtime] Fix handling of interceptors

Change-Id: I36b218f25c0dff6f5a39931e7536c6588ff46eef
Reviewed-by: Igor Sheludko <ishell@chromium.org>
(cherry picked from commit b85cb23217f629522702c19381db9c65accc1fba)
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 7 insertions, 3 deletions

diff --git a/chromium/v8/src/objects/objects.cc b/chromium/v8/src/objects/objects.cc
index 338254bd5cf..de4b3f5e423 100644
--- a/chromium/v8/src/objects/objects.cc
+++ b/chromium/v8/src/objects/objects.cc
@@ -2513,6 +2513,12 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
           Maybe<bool> result =
               JSObject::SetPropertyWithInterceptor(it, should_throw, value);
           if (result.IsNothing() || result.FromJust()) return result;
+          // Assuming that the callback have side effects, we use
+          // Object::SetSuperProperty() which works properly regardless on
+          // whether the property was present on the receiver or not when
+          // storing to the receiver.
+          // Proceed lookup from the next state.
+          it->Next();
         } else {
           Maybe<PropertyAttributes> maybe_attributes =
               JSObject::GetPropertyAttributesWithInterceptor(it);
@@ -2533,10 +2539,8 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
             // property to the receiver.
             it->NotFound();
           }
-          return Object::SetSuperProperty(it, value, store_origin,
-                                          should_throw);
         }
-        break;
+        return Object::SetSuperProperty(it, value, store_origin, should_throw);
       }
 
       case LookupIterator::ACCESSOR: {