Bug 484107 - XPCSafeJSObjectWrapper allows regexp variables to be clobbered. r=mrbkap+sr=brendan

js/src/jsregexp.cpp

@@ -4379,6 +4379,22 @@ js_InitRegExpStatics(JSContext *cx)
     JS_ClearRegExpStatics(cx);
 }
 
+JS_FRIEND_API(void)
+js_SaveRegExpStatics(JSContext *cx, JSRegExpStatics *statics,
+                     JSTempValueRooter *tvr)
+{
+  *statics = cx->regExpStatics;
+  JS_PUSH_TEMP_ROOT_STRING(cx, statics->input, tvr);
+}
+
+JS_FRIEND_API(void)
+js_RestoreRegExpStatics(JSContext *cx, JSRegExpStatics *statics,
+                        JSTempValueRooter *tvr)
+{
+  cx->regExpStatics = *statics;
+  JS_POP_TEMP_ROOT(cx, tvr);
+}
+
 void
 js_TraceRegExpStatics(JSTracer *trc, JSContext *acx)
 {

js/src/jsregexp.h

@@ -65,6 +65,14 @@ struct JSRegExpStatics {
     JSSubString rightContext;   /* input to right of last match (perl $') */
 };
 
+extern JS_FRIEND_API(void)
+js_SaveRegExpStatics(JSContext *cx, JSRegExpStatics *statics,
+                     JSTempValueRooter *tvr);
+
+extern JS_FRIEND_API(void)
+js_RestoreRegExpStatics(JSContext *cx, JSRegExpStatics *statics,
+                        JSTempValueRooter *tvr);
+
 /*
  * This struct holds a bitmap representation of a class from a regexp.
  * There's a list of these referenced by the classList field in the JSRegExp

js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp

@@ -41,6 +41,7 @@
 #include "jsdbgapi.h"
 #include "jsscript.h" // for js_ScriptClass
 #include "XPCWrapper.h"
+#include "jsregexp.h"
 
 static JSBool
 XPC_SJOW_AddProperty(JSContext *cx, JSObject *obj, jsval id, jsval *vp);
@@ -522,6 +523,19 @@ XPC_SJOW_DelProperty(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
   return XPCWrapper::DelProperty(cx, unsafeObj, id, vp);
 }
 
+static inline JSBool
+CallWithoutStatics(JSContext *cx, JSObject *obj, jsval fval, uintN argc,
+                   jsval *argv, jsval *rval)
+{
+  JSRegExpStatics statics;
+  JSTempValueRooter tvr;
+  js_SaveRegExpStatics(cx, &statics, &tvr);
+  JS_ClearRegExpStatics(cx);
+  JSBool ok = ::JS_CallFunctionValue(cx, obj, fval, argc, argv, rval);
+  js_RestoreRegExpStatics(cx, &statics, &tvr);
+  return ok;
+}
+
 // Call wrapper to help with wrapping calls to functions or callable
 // objects in a scripted function (see XPC_SJOW_Call()). The first
 // argument passed to this method is the unsafe function to call, the
@@ -536,7 +550,7 @@ XPC_SJOW_CallWrapper(JSContext *cx, JSObject *obj, uintN argc, jsval *argv,
     return ThrowException(NS_ERROR_INVALID_ARG, cx);
   }
 
-  return ::JS_CallFunctionValue(cx, obj, argv[0], argc - 1, argv + 1, rval);
+  return CallWithoutStatics(cx, obj, argv[0], argc - 1, argv + 1, rval);
 }
 
 static JSBool
@@ -588,9 +602,8 @@ XPC_SJOW_GetOrSetProperty(JSContext *cx, JSObject *obj, jsval id, jsval *vp,
   }
 
   jsval val;
-  JSBool ok = ::JS_CallFunctionValue(cx, unsafeObj, scriptedFunVal,
-                                     aIsSet ? 2 : 1, args, &val);
-
+  JSBool ok = CallWithoutStatics(cx, unsafeObj, scriptedFunVal,
+                                 aIsSet ? 2 : 1, args, &val);
   return ok && WrapJSValue(cx, obj, val, vp);
 }
 
@@ -860,8 +873,8 @@ XPC_SJOW_Call(JSContext *cx, JSObject *obj, uintN argc, jsval *argv,
   }
 
   jsval val;
-  JSBool ok = ::JS_CallFunctionValue(cx, callThisObj, scriptedFunVal, argc + 2,
-                                     args, &val);
+  JSBool ok = CallWithoutStatics(cx, callThisObj, scriptedFunVal, argc + 2,
+                                 args, &val);
 
   if (args != argsBuf) {
     nsMemory::Free(args);
@@ -966,12 +979,9 @@ XPC_SJOW_Create(JSContext *cx, JSObject *obj, uintN argc, jsval *argv,
     return JS_FALSE;
   }
 
-  if (!JS_CallFunctionValue(cx, obj, OBJECT_TO_JSVAL(callee), argc, argv,
-                            rval)) {
-    return JS_FALSE;
-  }
-
-  return WrapJSValue(cx, callee, *rval, rval);
+  JSBool ok = CallWithoutStatics(cx, obj, OBJECT_TO_JSVAL(callee), argc, argv,
+                                 rval);
+  return ok && WrapJSValue(cx, callee, *rval, rval);
 }
 
 static JSBool
@@ -1092,9 +1102,8 @@ XPC_SJOW_toString(JSContext *cx, JSObject *obj, uintN argc, jsval *argv,
   }
 
   jsval val;
-  JSBool ok = ::JS_CallFunctionValue(cx, unsafeObj, scriptedFunVal, 0, nsnull,
-                                     &val);
-
+  JSBool ok = CallWithoutStatics(cx, unsafeObj, scriptedFunVal, 0, nsnull,
+                                 &val);
   return ok && WrapJSValue(cx, obj, val, rval);
 }
 

js/src/xpconnect/tests/mochitest/Makefile.in

@@ -55,6 +55,7 @@ _TEST_FILES =	inner.html \
 		test_bug446584.html \
 		test_bug462428.html \
 		test_bug478438.html \
+		test_bug484107.html \
 		$(NULL)
 
 libs:: $(_TEST_FILES)

js/src/xpconnect/tests/mochitest/test_bug484107.html

@@ -0,0 +1,100 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=484107
+-->
+<head>
+  <title>Test for Bug 484107</title>
+  <script type="application/javascript" src="/MochiKit/MochiKit.js"></script>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=484107">Mozilla Bug 484107</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+  
+</div>
+<pre id="test">
+<script type="application/javascript">
+
+/** Test for Bug 484107 **/
+
+  var text = "first group",
+      xpcWin = new XPCSafeJSObjectWrapper(window);
+  function get$1() { return RegExp.$1 };
+
+  function reset() {
+    var match = /(.*)/.exec(text);
+    if (!reset.skipStupidTests) {
+      reset.skipStupidTests = true;
+      ok(match, "No match?");
+      is(match[1], text, "Bad match?");
+      is(text, RegExp.$1, "RegExp.$1 missing?");
+      is(text, get$1(), "RegExp.$1 inaccessible?");
+    }
+  }
+
+  function test_XPC_SJOW_Call() {
+    isnot(text, xpcWin.get$1(), "Able to see RegExp.$1 from wrapped method.");
+    is("", xpcWin.get$1(), "Saw something other than an empty string for " +
+                           "RegExp.$1 from wrapped method.");
+    is(text, window.get$1(), "Unable to see RegExp.$1 from non-wrapped method.");
+  }
+
+  function test_XPC_SJOW_Call_foreign_obj() {
+    var obj = {
+      xpcGet: xpcWin.get$1,
+      rawGet: window.get$1
+    };
+    isnot(text, obj.xpcGet(), "obj.xpcGet() returned matched text.");
+    is("", obj.xpcGet(), "obj.xpcGet() returned something other than the empty string.");
+    is(text, obj.rawGet(), "obj.rawGet() did not return matched text.");
+  }
+
+  function test_XPC_SJOW_toString() {
+    var str = new XPCSafeJSObjectWrapper({
+      toString: function() { return RegExp.$1 }
+    }) + "";
+    isnot(text, str, "toString() returned the matched text.");
+    is("", str, "toString() returned something other than the empty string.");
+  }
+
+  function test_XPC_SJOW_GetOrSetProperty() {
+    window.__defineGetter__("firstMatch", function() { return RegExp.$1 });
+    isnot(text, xpcWin.firstMatch, "Getter xpcWin.firstMatch returned matched text.");
+    is("", xpcWin.firstMatch,
+       "Getter xpcWin.firstMatch returned something other than the empty string.");
+    is(text, window.firstMatch, "Getter window.firstMatch did not return matched text.");
+  }
+
+  function test_XPC_SJOW_Create() {
+    function ctor() {
+      this.match = RegExp.$1;
+      return this; // XXX Why is this necessary?
+    }
+    ctor.prototype.getMatch = function() { return this.match };
+    var xpcCtor = new XPCSafeJSObjectWrapper(ctor),
+        match = (new xpcCtor).getMatch();
+    isnot(text, match, "(new xpcCtor).getMatch() was the matched text.");
+    is("", match, "(new xpcCtor).getMatch() was not the empty string.");
+  }
+
+  var tests = [
+    test_XPC_SJOW_Call,
+    test_XPC_SJOW_Call_foreign_obj,
+    test_XPC_SJOW_toString,
+    test_XPC_SJOW_GetOrSetProperty,
+    test_XPC_SJOW_Create
+  ];
+
+  for (var i = 0; i < tests.length; i++) {
+    reset();
+    tests[i]();
+    is(text, RegExp.$1, "RegExp.$1 was clobbered.");
+  }
+
+</script>
+</pre>
+</body>
+</html>