mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 854604 - Null-check funobj. r=mrbkap
I've audited all the places where we instantiate an XPCCallContext with more than just (cx, {NATIVE,JS}_CALLER), and the toString hook is the only place where we don't check IsValid() or something that depends on it.
This commit is contained in:
parent
ca8c596c30
commit
a5c437d499
10
js/xpconnect/crashtests/854604.html
Normal file
10
js/xpconnect/crashtests/854604.html
Normal file
@ -0,0 +1,10 @@
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script>
|
||||
SpecialPowers.wrap(SpecialPowers.Components).toString();
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
</body>
|
||||
</html>
|
@ -50,3 +50,4 @@ load 791845.html
|
||||
load 797583.html
|
||||
load 806751.html
|
||||
load 833856.html
|
||||
load 854604.html
|
||||
|
@ -462,6 +462,10 @@ XPCCallContext::UnwrapThisIfAllowed(JSObject *object, JSObject *fun, unsigned ar
|
||||
MOZ_ASSERT(!js::UnwrapObjectChecked(obj));
|
||||
MOZ_ASSERT(js::IsObjectInContextCompartment(obj, mJSContext));
|
||||
|
||||
// We can't do anything here without a function.
|
||||
if (!fun)
|
||||
return nullptr;
|
||||
|
||||
// Determine if we're allowed to unwrap the security wrapper to invoke the
|
||||
// method.
|
||||
//
|
||||
|
@ -106,6 +106,8 @@ XPC_WN_Shared_ToString(JSContext *cx, unsigned argc, jsval *vp)
|
||||
}
|
||||
|
||||
XPCCallContext ccx(JS_CALLER, cx, obj);
|
||||
if (!ccx.IsValid())
|
||||
return Throw(NS_ERROR_XPC_BAD_OP_ON_WN_PROTO, cx);
|
||||
ccx.SetName(ccx.GetRuntime()->GetStringID(XPCJSRuntime::IDX_TO_STRING));
|
||||
ccx.SetArgsAndResultPtr(argc, JS_ARGV(cx, vp), vp);
|
||||
return ToStringGuts(ccx);
|
||||
|
Loading…
Reference in New Issue
Block a user