Bug 1019761 - Fix null dialogArugments deref. r=bz, r=johns

2024-09-13 09:24:08 -07:00 · 2014-06-06 15:43:00 -04:00 · 2014-06-06 15:43:00 -04:00 · 6c263f9f6b
commit 6c263f9f6b
parent 48613f3f85
3 changed files with 39 additions and 1 deletions
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@ -13630,6 +13630,11 @@ nsGlobalWindow::GetDialogArguments(JSContext* aCx, ErrorResult& aError)
  MOZ_ASSERT(IsModalContentWindow(),
             "This should only be called on modal windows!");

+  if (!mDialogArguments) {
+    MOZ_ASSERT(mIsClosed, "This window should be closed!");
+    return JS::UndefinedValue();
+  }
+
  // This does an internal origin check, and returns undefined if the subject
  // does not subsumes the origin of the arguments.
  JS::Rooted<JSObject*> wrapper(aCx, GetWrapper());
--- a/dom/base/test/mochitest.ini
+++ b/dom/base/test/mochitest.ini
@ -8,7 +8,6 @@ support-files =
  file_empty.html
  iframe_postMessage_solidus.html

-[test_Image_constructor.html]
 [test_appname_override.html]
 [test_audioWindowUtils.html]
 [test_audioNotification.html]
@ -22,6 +21,8 @@ support-files =
 [test_consoleEmptyStack.html]
 [test_constructor-assignment.html]
 [test_constructor.html]
+[test_dialogArguments.html]
+skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s
 [test_document.all_unqualified.html]
 [test_domcursor.html]
 [test_domrequest.html]
@ -37,6 +38,7 @@ support-files =
 [test_getFeature_without_perm.html]
 [test_history_document_open.html]
 [test_history_state_null.html]
+[test_Image_constructor.html]
 [test_innersize_scrollport.html]
 [test_messageChannel.html]
 [test_messageChannel_cloning.html]
--- a/dom/base/test/test_dialogArguments.html
+++ b/dom/base/test/test_dialogArguments.html
@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+	<title>Test for Bug 1019761</title>
+	<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+	<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+
+	<meta http-equiv="content-type" content="text/html; charset=utf-8">
+</head>
+<body>
+<script type="application/javascript">
+
+/*
+	Tests whether Firefox crashes when accessing the dialogArguments property
+	of a modal window that has been closed.
+*/
+SimpleTest.waitForExplicitFinish();
+
+function openModal() {
+	showModalDialog("javascript:opener.winRef = window; \
+		window.opener.setTimeout(\'winRef.dialogArguments;\', 0);\
+		window.close();");
+
+	ok(true, "dialogArguments did not cause a crash.");
+	SimpleTest.finish();
+}
+
+window.onload = openModal;
+</script>
+</body>
+</html>