From abb5119d0f307f7f98e59a5f3ee9872f3d286b37 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Tue, 29 Mar 2022 17:31:58 +0200
Subject: [Backport] CVE-2022-1096

[runtime] Fix handling of interceptors

Change-Id: I36b218f25c0dff6f5a39931e7536c6588ff46eef
Reviewed-by: Igor Sheludko <ishell@chromium.org>
(cherry picked from commit b85cb23217f629522702c19381db9c65accc1fba)
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 chromium/v8/src/objects/objects.cc | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/3rdparty/chromium/v8/src/objects/objects.cc b/src/3rdparty/chromium/v8/src/objects/objects.cc
index 43d835044de..f1d15d27c6e 100644
--- a/src/3rdparty/chromium/v8/src/objects/objects.cc
+++ b/src/3rdparty/chromium/v8/src/objects/objects.cc
@@ -2481,6 +2481,12 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
           Maybe<bool> result =
               JSObject::SetPropertyWithInterceptor(it, should_throw, value);
           if (result.IsNothing() || result.FromJust()) return result;
+          // Assuming that the callback have side effects, we use
+          // Object::SetSuperProperty() which works properly regardless on
+          // whether the property was present on the receiver or not when
+          // storing to the receiver.
+          // Proceed lookup from the next state.
+          it->Next();
         } else {
           Maybe<PropertyAttributes> maybe_attributes =
               JSObject::GetPropertyAttributesWithInterceptor(it);
@@ -2501,10 +2507,8 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
             // property to the receiver.
             it->NotFound();
           }
-          return Object::SetSuperProperty(it, value, store_origin,
-                                          should_throw);
         }
-        break;
+        return Object::SetSuperProperty(it, value, store_origin, should_throw);
       }
 
       case LookupIterator::ACCESSOR: {
-- 
cgit v1.2.1