Bug 831076 - Outerize during same-compartment wrapping so that JS_Wrap* is guaranteed to outerize. r=mrbkap

2024-09-13 09:24:08 -07:00 · 2013-02-04 15:13:14 +00:00 · 2013-02-04 15:13:14 +00:00 · 9124b9b5fd
commit 9124b9b5fd
parent b32a8d4b14
2 changed files with 7 additions and 4 deletions
--- a/js/xpconnect/src/XPCConvert.cpp
+++ b/js/xpconnect/src/XPCConvert.cpp
@ -980,10 +980,6 @@ XPCConvert::NativeInterface2JSObject(XPCLazyCallContext& lccx,
    if (!JS_WrapObject(ccx, &flat))
        return false;

-    // Outerize if necessary.
-    flat = JS_ObjectToOuterObject(cx, flat);
-    MOZ_ASSERT(flat, "bad outer object hook!");
-
    *d = OBJECT_TO_JSVAL(flat);

    if (dest) {
--- a/js/xpconnect/wrappers/WrapperFactory.cpp
+++ b/js/xpconnect/wrappers/WrapperFactory.cpp
@ -472,10 +472,17 @@ WrapperFactory::Rewrap(JSContext *cx, JSObject *existing, JSObject *obj,
 JSObject *
 WrapperFactory::WrapForSameCompartment(JSContext *cx, JSObject *obj)
 {
+    MOZ_ASSERT(js::IsObjectInContextCompartment(obj, cx));
+
    // NB: The contract of WrapForSameCompartment says that |obj| may or may not
    // be a security wrapper. These checks implicitly handle the security
    // wrapper case.

+    // Outerize if necessary. This, in combination with the check in
+    // PrepareForUnwrapping, means that calling JS_Wrap* always outerizes.
+    obj = JS_ObjectToOuterObject(cx, obj);
+    NS_ENSURE_TRUE(obj, nullptr);
+
    if (dom::GetSameCompartmentWrapperForDOMBinding(obj)) {
        return obj;
    }