From 49d3dd3a82c77d8b16b90f41cbe985d9764cc19b Mon Sep 17 00:00:00 2001
From: Bobby Holley <bobbyholley@gmail.com>
Date: Tue, 14 Aug 2012 08:31:02 -0700
Subject: [PATCH] Bug 777628 - Do a Checked Unwrap in JS_WriteTypedArray.
 r=jorendorff

---
 dom/tests/mochitest/bugs/Makefile.in         |  1 +
 dom/tests/mochitest/bugs/test_bug777628.html | 42 ++++++++++++++++++++
 js/src/jsclone.cpp                           |  9 +++++
 3 files changed, 52 insertions(+)
 create mode 100644 dom/tests/mochitest/bugs/test_bug777628.html

diff --git a/dom/tests/mochitest/bugs/Makefile.in b/dom/tests/mochitest/bugs/Makefile.in
index 5e5b9b95507..d1cb7159af9 100644
--- a/dom/tests/mochitest/bugs/Makefile.in
+++ b/dom/tests/mochitest/bugs/Makefile.in
@@ -129,6 +129,7 @@ MOCHITEST_FILES	= \
 		worker_bug743615.js \
 		test_bug750051.html \
 		test_bug755320.html \
+		test_bug777628.html \
 		$(NULL)
 
 include $(topsrcdir)/config/rules.mk
diff --git a/dom/tests/mochitest/bugs/test_bug777628.html b/dom/tests/mochitest/bugs/test_bug777628.html
new file mode 100644
index 00000000000..f272fcb3e55
--- /dev/null
+++ b/dom/tests/mochitest/bugs/test_bug777628.html
@@ -0,0 +1,42 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=777628
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 743615</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="application/javascript" src="utils_bug743615.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=777628">Mozilla Bug 777628</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+<iframe id="ifr"></iframe>
+</div>
+<pre id="test">
+<script type="application/javascript">
+
+/** Test for structured cloning ImageData from another scope. **/
+
+// Set up an ImageData in another scope.
+var doc = document.getElementById('ifr').contentDocument;
+var canvas = doc.createElement('canvas');
+canvas.width = 200;
+canvas.height = 200;
+doc.body.appendChild(canvas);
+var ctx = canvas.getContext('2d');
+ctx.fillStyle = 'rgb(';
+ctx.fillRect(30, 30, 50, 50);
+var imageData = ctx.createImageData(200, 200);
+
+// Clone it.
+window.postMessage({ imageData: imageData }, '*');
+ok(true, "Handled cross-compartment imagedata without throwing/crashing!");
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/js/src/jsclone.cpp b/js/src/jsclone.cpp
index 8e111e37de1..0a957cf84f8 100644
--- a/js/src/jsclone.cpp
+++ b/js/src/jsclone.cpp
@@ -402,6 +402,15 @@ JS_WriteTypedArray(JSStructuredCloneWriter *w, jsval v)
 {
     JS_ASSERT(v.isObject());
     RootedObject obj(w->context(), &v.toObject());
+
+    // If the object is a security wrapper, try puncturing it. This may throw
+    // if the access is not allowed.
+    if (obj->isWrapper()) {
+        JSObject *unwrapped = UnwrapObjectChecked(w->context(), obj);
+        if (!unwrapped)
+            return false;
+        obj = unwrapped;
+    }
     return w->writeTypedArray(obj);
 }