mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 730208 - UnmarkGray various JS objects to prevent them from being used to create black -> gray edges. r=smaug
--HG-- extra : rebase_source : 00bd6f20a900e97173fafa9f5512e2ebbd3a0cac
This commit is contained in:
parent
4642a9a56c
commit
0f3ecde4b7
@ -5463,8 +5463,8 @@ nsWindowSH::GetProperty(nsIXPConnectWrappedNative *wrapper, JSContext *cx,
|
||||
|
||||
nsCOMPtr<nsIXPConnectJSObjectHolder> holder;
|
||||
jsval v;
|
||||
rv = WrapNative(cx, frameWin->GetGlobalJSObject(), frame,
|
||||
&NS_GET_IID(nsIDOMWindow), true, &v,
|
||||
rv = WrapNative(cx, xpc_UnmarkGrayObject(frameWin->GetGlobalJSObject()),
|
||||
frame, &NS_GET_IID(nsIDOMWindow), true, &v,
|
||||
getter_AddRefs(holder));
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
|
||||
|
@ -2039,6 +2039,7 @@ nsGlobalWindow::SetNewDocument(nsIDocument* aDocument,
|
||||
newInnerWindow = currentInner;
|
||||
|
||||
if (aDocument != oldDoc) {
|
||||
xpc_UnmarkGrayObject(currentInner->mJSObject);
|
||||
nsWindowSH::InvalidateGlobalScopePolluter(cx, currentInner->mJSObject);
|
||||
}
|
||||
|
||||
@ -2047,6 +2048,7 @@ nsGlobalWindow::SetNewDocument(nsIDocument* aDocument,
|
||||
// don't expose that API because the implementation would be
|
||||
// identical to that of JS_TransplantObject, so we just call that
|
||||
// instead.
|
||||
xpc_UnmarkGrayObject(mJSObject);
|
||||
if (!JS_TransplantObject(cx, mJSObject, mJSObject)) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
@ -2129,7 +2131,7 @@ nsGlobalWindow::SetNewDocument(nsIDocument* aDocument,
|
||||
mJSObject = mContext->GetNativeGlobal();
|
||||
SetWrapper(mJSObject);
|
||||
} else {
|
||||
JSObject *outerObject = NewOuterWindowProxy(cx, newInnerWindow->mJSObject);
|
||||
JSObject *outerObject = NewOuterWindowProxy(cx, xpc_UnmarkGrayObject(newInnerWindow->mJSObject));
|
||||
if (!outerObject) {
|
||||
NS_ERROR("out of memory");
|
||||
return NS_ERROR_FAILURE;
|
||||
@ -2200,7 +2202,7 @@ nsGlobalWindow::SetNewDocument(nsIDocument* aDocument,
|
||||
proto = nsnull;
|
||||
}
|
||||
|
||||
if (!JS_SetPrototype(cx, mJSObject, proto)) {
|
||||
if (!JS_SetPrototype(cx, mJSObject, xpc_UnmarkGrayObject(proto))) {
|
||||
NS_ERROR("can't set prototype");
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
@ -40,6 +40,7 @@
|
||||
|
||||
#include "nsIScriptContext.h"
|
||||
#include "jsapi.h"
|
||||
#include "xpcpublic.h"
|
||||
#include "nsIDOMEventListener.h"
|
||||
|
||||
class nsIScriptObjectOwner;
|
||||
@ -86,12 +87,12 @@ public:
|
||||
|
||||
JSObject* GetEventScope() const
|
||||
{
|
||||
return mScopeObject;
|
||||
return xpc_UnmarkGrayObject(mScopeObject);
|
||||
}
|
||||
|
||||
JSObject *GetHandler() const
|
||||
{
|
||||
return mHandler;
|
||||
return xpc_UnmarkGrayObject(mHandler);
|
||||
}
|
||||
|
||||
// Set a handler for this event listener. Must not be called if
|
||||
|
@ -1194,6 +1194,7 @@ nsJSContext::EvaluateStringWithValue(const nsAString& aScript,
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
xpc_UnmarkGrayObject(aScopeObject);
|
||||
nsAutoMicroTask mt;
|
||||
|
||||
// Safety first: get an object representing the script's principals, i.e.,
|
||||
@ -1396,6 +1397,8 @@ nsJSContext::EvaluateString(const nsAString& aScript,
|
||||
aScopeObject = JS_GetGlobalObject(mContext);
|
||||
}
|
||||
|
||||
xpc_UnmarkGrayObject(aScopeObject);
|
||||
|
||||
// Safety first: get an object representing the script's principals, i.e.,
|
||||
// the entities who signed this script, or the fully-qualified-domain-name
|
||||
// or "codebase" from which it was loaded.
|
||||
@ -1513,6 +1516,7 @@ nsJSContext::CompileScript(const PRUnichar* aText,
|
||||
NS_ENSURE_ARG_POINTER(aPrincipal);
|
||||
|
||||
JSObject* scopeObject = ::JS_GetGlobalObject(mContext);
|
||||
xpc_UnmarkGrayObject(scopeObject);
|
||||
|
||||
bool ok = false;
|
||||
|
||||
@ -1572,6 +1576,9 @@ nsJSContext::ExecuteScript(JSScript* aScriptObject,
|
||||
aScopeObject = JS_GetGlobalObject(mContext);
|
||||
}
|
||||
|
||||
xpc_UnmarkGrayScript(aScriptObject);
|
||||
xpc_UnmarkGrayObject(aScopeObject);
|
||||
|
||||
// Push our JSContext on our thread's context stack, in case native code
|
||||
// called from JS calls back into JS via XPConnect.
|
||||
nsresult rv;
|
||||
@ -1674,7 +1681,7 @@ nsJSContext::JSObjectFromInterface(nsISupports* aTarget, JSObject* aScope, JSObj
|
||||
NS_ASSERTION(native == targetSupp, "Native should be the target!");
|
||||
#endif
|
||||
|
||||
*aRet = JSVAL_TO_OBJECT(v);
|
||||
*aRet = xpc_UnmarkGrayObject(JSVAL_TO_OBJECT(v));
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
@ -1766,6 +1773,8 @@ nsJSContext::CompileFunction(JSObject* aTarget,
|
||||
return NS_ERROR_ILLEGAL_VALUE;
|
||||
}
|
||||
|
||||
xpc_UnmarkGrayObject(aTarget);
|
||||
|
||||
nsIScriptGlobalObject *global = GetGlobalObject();
|
||||
nsCOMPtr<nsIPrincipal> principal;
|
||||
if (global) {
|
||||
@ -1826,6 +1835,9 @@ nsJSContext::CallEventHandler(nsISupports* aTarget, JSObject* aScope,
|
||||
|
||||
nsAutoMicroTask mt;
|
||||
JSAutoRequest ar(mContext);
|
||||
xpc_UnmarkGrayObject(aScope);
|
||||
xpc_UnmarkGrayObject(aHandler);
|
||||
|
||||
JSObject* target = nsnull;
|
||||
nsresult rv = JSObjectFromInterface(aTarget, aScope, &target);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
@ -1883,6 +1895,11 @@ nsJSContext::CallEventHandler(nsISupports* aTarget, JSObject* aScope,
|
||||
// in the same scope as aTarget.
|
||||
rv = ConvertSupportsTojsvals(aargv, target, &argc, &argv, tempStorage);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
for (uint32_t i = 0; i < argc; i++) {
|
||||
if (!JSVAL_IS_PRIMITIVE(argv[i])) {
|
||||
xpc_UnmarkGrayObject(JSVAL_TO_OBJECT(argv[i]));
|
||||
}
|
||||
}
|
||||
|
||||
++mExecuteDepth;
|
||||
bool ok = ::JS_CallFunctionValue(mContext, target,
|
||||
@ -1930,6 +1947,9 @@ nsJSContext::BindCompiledEventHandler(nsISupports* aTarget, JSObject* aScope,
|
||||
NS_PRECONDITION(!aBoundHandler, "Shouldn't already have a bound handler!");
|
||||
|
||||
JSAutoRequest ar(mContext);
|
||||
xpc_UnmarkGrayObject(aScope);
|
||||
xpc_UnmarkGrayObject(aHandler);
|
||||
|
||||
|
||||
// Get the jsobject associated with this target
|
||||
JSObject *target = nsnull;
|
||||
@ -1978,6 +1998,8 @@ nsJSContext::Serialize(nsIObjectOutputStream* aStream, JSScript* aScriptObject)
|
||||
return NS_ERROR_FAILURE;
|
||||
|
||||
return nsContentUtils::XPConnect()->WriteScript(aStream, mContext, aScriptObject);
|
||||
xpc_UnmarkGrayScript(aScriptObject);
|
||||
|
||||
}
|
||||
|
||||
nsresult
|
||||
@ -2441,8 +2463,9 @@ nsJSContext::AddSupportsPrimitiveTojsvals(nsISupports *aArg, jsval *aArgv)
|
||||
AutoFree iidGuard(iid); // Free iid upon destruction.
|
||||
|
||||
nsCOMPtr<nsIXPConnectJSObjectHolder> wrapper;
|
||||
JSObject *global = xpc_UnmarkGrayObject(::JS_GetGlobalObject(cx));
|
||||
jsval v;
|
||||
nsresult rv = nsContentUtils::WrapNative(cx, ::JS_GetGlobalObject(cx),
|
||||
nsresult rv = nsContentUtils::WrapNative(cx, global,
|
||||
data, iid, &v,
|
||||
getter_AddRefs(wrapper));
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
|
Loading…
Reference in New Issue
Block a user