From b46535cb8d511e34389a2c2342570066791d37cd Mon Sep 17 00:00:00 2001
From: Robert Fancsik <frobert@inf.u-szeged.hu>
Date: Fri, 15 Jan 2021 14:11:47 +0100
Subject: [PATCH] Add strict flag check for ecma_op_object_put_apply_receiver
 (#4450)

This patch fixes #4441.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
---
 jerry-core/ecma/operations/ecma-objects.c     | 14 ++++++++++-
 .../es.next/regression-test-issue-4441.js     | 25 +++++++++++++++++++
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 tests/jerry/es.next/regression-test-issue-4441.js

diff --git a/jerry-core/ecma/operations/ecma-objects.c b/jerry-core/ecma/operations/ecma-objects.c
index f4d1ae1db..4b5fee114 100644
--- a/jerry-core/ecma/operations/ecma-objects.c
+++ b/jerry-core/ecma/operations/ecma-objects.c
@@ -1164,6 +1164,11 @@ ecma_op_object_put_apply_receiver (ecma_value_t receiver, /**< receiver */
 
       /* 5.e.iv */
       result = ecma_op_object_define_own_property (receiver_obj_p, property_name_p, &prop_desc);
+
+      if (JERRY_UNLIKELY (ecma_is_value_false (result)) && is_throw)
+      {
+        result = ecma_raise_type_error (ECMA_ERR_MSG ("Proxy trap returned falsish"));
+      }
     }
 
     ecma_free_property_descriptor (&prop_desc);
@@ -1184,7 +1189,14 @@ ecma_op_object_put_apply_receiver (ecma_value_t receiver, /**< receiver */
                   | ECMA_PROP_IS_WRITABLE_DEFINED
                   | ECMA_PROP_IS_VALUE_DEFINED);
     desc.value = value;
-    return ecma_proxy_object_define_own_property (receiver_obj_p, property_name_p, &desc);
+    ecma_value_t ret_value = ecma_proxy_object_define_own_property (receiver_obj_p, property_name_p, &desc);
+
+    if (JERRY_UNLIKELY (ecma_is_value_false (ret_value)) && is_throw)
+    {
+      ret_value = ecma_raise_type_error (ECMA_ERR_MSG ("Proxy trap returned falsish"));
+    }
+
+    return ret_value;
   }
 #endif /* ENABLED (JERRY_BUILTIN_PROXY) */
 
diff --git a/tests/jerry/es.next/regression-test-issue-4441.js b/tests/jerry/es.next/regression-test-issue-4441.js
new file mode 100644
index 000000000..2313207a9
--- /dev/null
+++ b/tests/jerry/es.next/regression-test-issue-4441.js
@@ -0,0 +1,25 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+var get = [];
+var constructor = Function();
+constructor[Symbol.species] = Object;
+var p = new Proxy({ constructor: constructor, flags: '', exec: function() { return /\ua796/iu; } }, { defineProperty: function(o, k) { get.push(k); return o[k]; }});
+
+try {
+  RegExp.prototype[Symbol.split].call(p, 7996);
+  assert(false);
+} catch (e) {
+  assert(e instanceof TypeError);
+}