From da20683b61e3335b203c42897edae3bf74360d96 Mon Sep 17 00:00:00 2001
From: Catalin Badea <cbadea@mozilla.com>
Date: Fri, 6 Jun 2014 15:43:00 -0400
Subject: [PATCH] Bug 1019761 - Fix null dialogArugments deref. r=bz, r=johns

---
 dom/base/nsGlobalWindow.cpp             |  5 ++++
 dom/base/test/mochitest.ini             |  4 +++-
 dom/base/test/test_dialogArguments.html | 31 +++++++++++++++++++++++++
 3 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 dom/base/test/test_dialogArguments.html

diff --git a/dom/base/nsGlobalWindow.cpp b/dom/base/nsGlobalWindow.cpp
index cee3cc3dd6c..15fbd9b2cc6 100644
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@@ -13630,6 +13630,11 @@ nsGlobalWindow::GetDialogArguments(JSContext* aCx, ErrorResult& aError)
   MOZ_ASSERT(IsModalContentWindow(),
              "This should only be called on modal windows!");
 
+  if (!mDialogArguments) {
+    MOZ_ASSERT(mIsClosed, "This window should be closed!");
+    return JS::UndefinedValue();
+  }
+
   // This does an internal origin check, and returns undefined if the subject
   // does not subsumes the origin of the arguments.
   JS::Rooted<JSObject*> wrapper(aCx, GetWrapper());
diff --git a/dom/base/test/mochitest.ini b/dom/base/test/mochitest.ini
index a30e7b08b40..32396bba9ad 100644
--- a/dom/base/test/mochitest.ini
+++ b/dom/base/test/mochitest.ini
@@ -8,7 +8,6 @@ support-files =
   file_empty.html
   iframe_postMessage_solidus.html
 
-[test_Image_constructor.html]
 [test_appname_override.html]
 [test_audioWindowUtils.html]
 [test_audioNotification.html]
@@ -22,6 +21,8 @@ support-files =
 [test_consoleEmptyStack.html]
 [test_constructor-assignment.html]
 [test_constructor.html]
+[test_dialogArguments.html]
+skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s
 [test_document.all_unqualified.html]
 [test_domcursor.html]
 [test_domrequest.html]
@@ -37,6 +38,7 @@ support-files =
 [test_getFeature_without_perm.html]
 [test_history_document_open.html]
 [test_history_state_null.html]
+[test_Image_constructor.html]
 [test_innersize_scrollport.html]
 [test_messageChannel.html]
 [test_messageChannel_cloning.html]
diff --git a/dom/base/test/test_dialogArguments.html b/dom/base/test/test_dialogArguments.html
new file mode 100644
index 00000000000..70a091d0005
--- /dev/null
+++ b/dom/base/test/test_dialogArguments.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+	<title>Test for Bug 1019761</title>
+	<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+	<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+
+	<meta http-equiv="content-type" content="text/html; charset=utf-8">
+</head>
+<body>
+<script type="application/javascript">
+
+/*
+	Tests whether Firefox crashes when accessing the dialogArguments property
+	of a modal window that has been closed.
+*/
+SimpleTest.waitForExplicitFinish();
+
+function openModal() {
+	showModalDialog("javascript:opener.winRef = window; \
+		window.opener.setTimeout(\'winRef.dialogArguments;\', 0);\
+		window.close();");
+
+	ok(true, "dialogArguments did not cause a crash.");
+	SimpleTest.finish();
+}
+
+window.onload = openModal;
+</script>
+</body>
+</html>