wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 726502 - nsDeviceMotion::DeviceMotionChanged may index out of bounds mWindowListeners array. r=smaug

Browse Source
This commit is contained in:
Doug Turner 2012-03-09 08:41:25 -08:00
parent 86d68e8275
commit 168be1c4e1
1 changed files with 17 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
dom/system/nsDeviceMotion.cpp
View File

@ -199,12 +199,15 @@ NS_IMETHODIMP nsDeviceMotion::RemoveListener(nsIDeviceMotionListener *aListener)
NS_IMETHODIMP nsDeviceMotion::AddWindowListener(nsIDOMWindow *aWindow)
{
if (mWindowListeners.IndexOf(aWindow) != NoIndex)
return NS_OK;
if (mStarted == false) {
mStarted = true;
Startup();
}
if (mWindowListeners.IndexOf(aWindow) == NoIndex)
mWindowListeners.AppendElement(aWindow);
mWindowListeners.AppendElement(aWindow);
return NS_OK;
}
@ -224,28 +227,34 @@ nsDeviceMotion::DeviceMotionChanged(PRUint32 type, double x, double y, double z)
if (!mEnabled)
return NS_ERROR_NOT_INITIALIZED;
for (PRUint32 i = mListeners.Count(); i > 0 ; ) {
nsCOMArray<nsIDeviceMotionListener> listeners = mListeners;
for (PRUint32 i = listeners.Count(); i > 0 ; ) {
--i;
nsRefPtr<nsDeviceMotionData> a = new nsDeviceMotionData(type, x, y, z);
mListeners[i]->OnMotionChange(a);
listeners[i]->OnMotionChange(a);
}
for (PRUint32 i = mWindowListeners.Length(); i > 0 ; ) {
nsCOMArray<nsIDOMWindow> windowListeners;
for (PRUint32 i = 0; i < mWindowListeners.Length(); i++) {
windowListeners.AppendObject(mWindowListeners[i]);
}
for (PRUint32 i = windowListeners.Count(); i > 0 ; ) {
--i;
// check to see if this window is in the background. if
// it is, don't send any device motion to it.
nsCOMPtr<nsPIDOMWindow> pwindow = do_QueryInterface(mWindowListeners[i]);
nsCOMPtr<nsPIDOMWindow> pwindow = do_QueryInterface(windowListeners[i]);
if (!pwindow ||
!pwindow->GetOuterWindow() ||
pwindow->GetOuterWindow()->IsBackground())
continue;
nsCOMPtr<nsIDOMDocument> domdoc;
mWindowListeners[i]->GetDocument(getter_AddRefs(domdoc));
windowListeners[i]->GetDocument(getter_AddRefs(domdoc));
if (domdoc) {
nsCOMPtr<nsIDOMEventTarget> target = do_QueryInterface(mWindowListeners[i]);
nsCOMPtr<nsIDOMEventTarget> target = do_QueryInterface(windowListeners[i]);
if (type == nsIDeviceMotionData::TYPE_ACCELERATION)
FireDOMMotionEvent(domdoc, target, x, y, z);
else if (type == nsIDeviceMotionData::TYPE_ORIENTATION)