Bug 782644 - Prevent against nsObjectLoadingContent re-entry from content policy. r=josh

2024-09-13 09:24:08 -07:00 · 2012-08-20 12:46:48 -07:00 · 2012-08-20 12:46:48 -07:00 · b8f1be7ecc
commit b8f1be7ecc
parent 5b0555857c
1 changed files with 18 additions and 3 deletions
--- a/content/base/src/nsObjectLoadingContent.cpp
+++ b/content/base/src/nsObjectLoadingContent.cpp
@ -683,9 +683,9 @@ nsObjectLoadingContent::~nsObjectLoadingContent()
 nsresult
 nsObjectLoadingContent::InstantiatePluginInstance()
 {
-  if (mType != eType_Plugin) {
-    LOG(("OBJLC [%p]: Refusing to instantiate non-plugin, "
-         "type %u", this, mType));
+  if (mType != eType_Plugin || mIsLoading) {
+    LOG(("OBJLC [%p]: Not instantiating loading or non-plugin object, type %u",
+         this, mType));
    return NS_OK;
  }

@ -1560,6 +1560,9 @@ nsObjectLoadingContent::LoadObject(bool aNotify,
  // original load call needs to abort when unwinding
  // NOTE this is located *after* the state change check, a subseqent load
  //      with no subsequently changed state will be a no-op.
+  if (mIsLoading) {
+    LOG(("OBJLC [%p]: Re-entering into LoadObject", this));
+  }
  mIsLoading = true;
  AutoSetLoadingToFalse reentryCheck(this);

@ -1569,6 +1572,7 @@ nsObjectLoadingContent::LoadObject(bool aNotify,
  if (!mIsLoading) {
    // The event loop must've spun and re-entered into LoadObject, which
    // finished the load
+    LOG(("OBJLC [%p]: Re-entered into LoadObject, aborting outer load", this));
    return NS_OK;
  }

@ -1618,6 +1622,13 @@ nsObjectLoadingContent::LoadObject(bool aNotify,
    } else {
      allowLoad = CheckProcessPolicy(&contentPolicy);
    }
+
+    // Content policy implementations can mutate the DOM, check for re-entry
+    if (!mIsLoading) {
+      LOG(("OBJLC [%p]: We re-entered in content policy, leaving original load",
+           this));
+      return NS_OK;
+    }
    
    // Load denied, switch to fallback and set disabled/suppressed if applicable
    if (!allowLoad) {
@ -1664,6 +1675,10 @@ nsObjectLoadingContent::LoadObject(bool aNotify,
  ///
  /// Attempt to load new type
  ///
+  
+  // Remove blocker on entering into instantiate
+  mIsLoading = false;
+  
  switch (mType) {
    case eType_Image:
      if (!mChannel) {