Bug 730208 - UnmarkGray various JS objects to prevent them from being used to create black -> gray edges. r=smaug

--HG--
extra : rebase_source : 00bd6f20a900e97173fafa9f5512e2ebbd3a0cac
This commit is contained in:
Steve Fink 2012-03-20 21:29:47 -07:00
parent 4642a9a56c
commit 0f3ecde4b7
4 changed files with 34 additions and 8 deletions

View File

@ -5463,8 +5463,8 @@ nsWindowSH::GetProperty(nsIXPConnectWrappedNative *wrapper, JSContext *cx,
nsCOMPtr<nsIXPConnectJSObjectHolder> holder;
jsval v;
rv = WrapNative(cx, frameWin->GetGlobalJSObject(), frame,
&NS_GET_IID(nsIDOMWindow), true, &v,
rv = WrapNative(cx, xpc_UnmarkGrayObject(frameWin->GetGlobalJSObject()),
frame, &NS_GET_IID(nsIDOMWindow), true, &v,
getter_AddRefs(holder));
NS_ENSURE_SUCCESS(rv, rv);

View File

@ -2039,6 +2039,7 @@ nsGlobalWindow::SetNewDocument(nsIDocument* aDocument,
newInnerWindow = currentInner;
if (aDocument != oldDoc) {
xpc_UnmarkGrayObject(currentInner->mJSObject);
nsWindowSH::InvalidateGlobalScopePolluter(cx, currentInner->mJSObject);
}
@ -2047,6 +2048,7 @@ nsGlobalWindow::SetNewDocument(nsIDocument* aDocument,
// don't expose that API because the implementation would be
// identical to that of JS_TransplantObject, so we just call that
// instead.
xpc_UnmarkGrayObject(mJSObject);
if (!JS_TransplantObject(cx, mJSObject, mJSObject)) {
return NS_ERROR_FAILURE;
}
@ -2129,7 +2131,7 @@ nsGlobalWindow::SetNewDocument(nsIDocument* aDocument,
mJSObject = mContext->GetNativeGlobal();
SetWrapper(mJSObject);
} else {
JSObject *outerObject = NewOuterWindowProxy(cx, newInnerWindow->mJSObject);
JSObject *outerObject = NewOuterWindowProxy(cx, xpc_UnmarkGrayObject(newInnerWindow->mJSObject));
if (!outerObject) {
NS_ERROR("out of memory");
return NS_ERROR_FAILURE;
@ -2200,7 +2202,7 @@ nsGlobalWindow::SetNewDocument(nsIDocument* aDocument,
proto = nsnull;
}
if (!JS_SetPrototype(cx, mJSObject, proto)) {
if (!JS_SetPrototype(cx, mJSObject, xpc_UnmarkGrayObject(proto))) {
NS_ERROR("can't set prototype");
return NS_ERROR_FAILURE;
}

View File

@ -40,6 +40,7 @@
#include "nsIScriptContext.h"
#include "jsapi.h"
#include "xpcpublic.h"
#include "nsIDOMEventListener.h"
class nsIScriptObjectOwner;
@ -86,12 +87,12 @@ public:
JSObject* GetEventScope() const
{
return mScopeObject;
return xpc_UnmarkGrayObject(mScopeObject);
}
JSObject *GetHandler() const
{
return mHandler;
return xpc_UnmarkGrayObject(mHandler);
}
// Set a handler for this event listener. Must not be called if

View File

@ -1194,6 +1194,7 @@ nsJSContext::EvaluateStringWithValue(const nsAString& aScript,
return NS_OK;
}
xpc_UnmarkGrayObject(aScopeObject);
nsAutoMicroTask mt;
// Safety first: get an object representing the script's principals, i.e.,
@ -1396,6 +1397,8 @@ nsJSContext::EvaluateString(const nsAString& aScript,
aScopeObject = JS_GetGlobalObject(mContext);
}
xpc_UnmarkGrayObject(aScopeObject);
// Safety first: get an object representing the script's principals, i.e.,
// the entities who signed this script, or the fully-qualified-domain-name
// or "codebase" from which it was loaded.
@ -1513,6 +1516,7 @@ nsJSContext::CompileScript(const PRUnichar* aText,
NS_ENSURE_ARG_POINTER(aPrincipal);
JSObject* scopeObject = ::JS_GetGlobalObject(mContext);
xpc_UnmarkGrayObject(scopeObject);
bool ok = false;
@ -1572,6 +1576,9 @@ nsJSContext::ExecuteScript(JSScript* aScriptObject,
aScopeObject = JS_GetGlobalObject(mContext);
}
xpc_UnmarkGrayScript(aScriptObject);
xpc_UnmarkGrayObject(aScopeObject);
// Push our JSContext on our thread's context stack, in case native code
// called from JS calls back into JS via XPConnect.
nsresult rv;
@ -1674,7 +1681,7 @@ nsJSContext::JSObjectFromInterface(nsISupports* aTarget, JSObject* aScope, JSObj
NS_ASSERTION(native == targetSupp, "Native should be the target!");
#endif
*aRet = JSVAL_TO_OBJECT(v);
*aRet = xpc_UnmarkGrayObject(JSVAL_TO_OBJECT(v));
return NS_OK;
}
@ -1766,6 +1773,8 @@ nsJSContext::CompileFunction(JSObject* aTarget,
return NS_ERROR_ILLEGAL_VALUE;
}
xpc_UnmarkGrayObject(aTarget);
nsIScriptGlobalObject *global = GetGlobalObject();
nsCOMPtr<nsIPrincipal> principal;
if (global) {
@ -1826,6 +1835,9 @@ nsJSContext::CallEventHandler(nsISupports* aTarget, JSObject* aScope,
nsAutoMicroTask mt;
JSAutoRequest ar(mContext);
xpc_UnmarkGrayObject(aScope);
xpc_UnmarkGrayObject(aHandler);
JSObject* target = nsnull;
nsresult rv = JSObjectFromInterface(aTarget, aScope, &target);
NS_ENSURE_SUCCESS(rv, rv);
@ -1883,6 +1895,11 @@ nsJSContext::CallEventHandler(nsISupports* aTarget, JSObject* aScope,
// in the same scope as aTarget.
rv = ConvertSupportsTojsvals(aargv, target, &argc, &argv, tempStorage);
NS_ENSURE_SUCCESS(rv, rv);
for (uint32_t i = 0; i < argc; i++) {
if (!JSVAL_IS_PRIMITIVE(argv[i])) {
xpc_UnmarkGrayObject(JSVAL_TO_OBJECT(argv[i]));
}
}
++mExecuteDepth;
bool ok = ::JS_CallFunctionValue(mContext, target,
@ -1930,6 +1947,9 @@ nsJSContext::BindCompiledEventHandler(nsISupports* aTarget, JSObject* aScope,
NS_PRECONDITION(!aBoundHandler, "Shouldn't already have a bound handler!");
JSAutoRequest ar(mContext);
xpc_UnmarkGrayObject(aScope);
xpc_UnmarkGrayObject(aHandler);
// Get the jsobject associated with this target
JSObject *target = nsnull;
@ -1978,6 +1998,8 @@ nsJSContext::Serialize(nsIObjectOutputStream* aStream, JSScript* aScriptObject)
return NS_ERROR_FAILURE;
return nsContentUtils::XPConnect()->WriteScript(aStream, mContext, aScriptObject);
xpc_UnmarkGrayScript(aScriptObject);
}
nsresult
@ -2441,8 +2463,9 @@ nsJSContext::AddSupportsPrimitiveTojsvals(nsISupports *aArg, jsval *aArgv)
AutoFree iidGuard(iid); // Free iid upon destruction.
nsCOMPtr<nsIXPConnectJSObjectHolder> wrapper;
JSObject *global = xpc_UnmarkGrayObject(::JS_GetGlobalObject(cx));
jsval v;
nsresult rv = nsContentUtils::WrapNative(cx, ::JS_GetGlobalObject(cx),
nsresult rv = nsContentUtils::WrapNative(cx, global,
data, iid, &v,
getter_AddRefs(wrapper));
NS_ENSURE_SUCCESS(rv, rv);