wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 777628 - Do a Checked Unwrap in JS_WriteTypedArray. r=jorendorff

Browse Source
This commit is contained in:
Bobby Holley 2012-08-14 08:31:02 -07:00
parent 805b10b6d6
commit 49d3dd3a82
3 changed files with 52 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
dom/tests/mochitest/bugs/Makefile.in
View File

@ -129,6 +129,7 @@ MOCHITEST_FILES = \
worker_bug743615.js \
test_bug750051.html \
test_bug755320.html \
test_bug777628.html \
$(NULL)
include $(topsrcdir)/config/rules.mk

42
dom/tests/mochitest/bugs/test_bug777628.html Normal file
View File

@ -0,0 +1,42 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=777628
-->
<head>
<meta charset="utf-8">
<title>Test for Bug 743615</title>
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<script type="application/javascript" src="utils_bug743615.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=777628">Mozilla Bug 777628</a>
<p id="display"></p>
<div id="content" style="display: none">
<iframe id="ifr"></iframe>
</div>
<pre id="test">
<script type="application/javascript">
/** Test for structured cloning ImageData from another scope. **/
// Set up an ImageData in another scope.
var doc = document.getElementById('ifr').contentDocument;
var canvas = doc.createElement('canvas');
canvas.width = 200;
canvas.height = 200;
doc.body.appendChild(canvas);
var ctx = canvas.getContext('2d');
ctx.fillStyle = 'rgb(';
ctx.fillRect(30, 30, 50, 50);
var imageData = ctx.createImageData(200, 200);
// Clone it.
window.postMessage({ imageData: imageData }, '*');
ok(true, "Handled cross-compartment imagedata without throwing/crashing!");
</script>
</pre>
</body>
</html>

9
js/src/jsclone.cpp
View File

@ -402,6 +402,15 @@ JS_WriteTypedArray(JSStructuredCloneWriter *w, jsval v)
{
JS_ASSERT(v.isObject());
RootedObject obj(w->context(), &v.toObject());
// If the object is a security wrapper, try puncturing it. This may throw
// if the access is not allowed.
if (obj->isWrapper()) {
JSObject *unwrapped = UnwrapObjectChecked(w->context(), obj);
if (!unwrapped)
return false;
obj = unwrapped;
}
return w->writeTypedArray(obj);
}