From e2daa1df741e10eb25da522621559c6695d20533 Mon Sep 17 00:00:00 2001
From: Peter Van der Beken <peterv@propagandism.org>
Date: Mon, 16 Jul 2012 16:52:59 +0200
Subject: [PATCH] Fix for bug 769464 (Check mDOMObjectIsISupports when
 unwrapping). r=bz.

--HG--
extra : rebase_source : 26d0508b8a11d75164ae4b27af8c64e8845166f9
---
 dom/bindings/crashtests/769464.html     | 11 +++++++++++
 dom/bindings/crashtests/crashtests.list |  1 +
 js/xpconnect/src/XPCQuickStubs.cpp      |  5 +++++
 testing/crashtest/crashtests.list       |  1 +
 4 files changed, 18 insertions(+)
 create mode 100644 dom/bindings/crashtests/769464.html
 create mode 100644 dom/bindings/crashtests/crashtests.list

diff --git a/dom/bindings/crashtests/769464.html b/dom/bindings/crashtests/769464.html
new file mode 100644
index 00000000000..84d6dbc08b4
--- /dev/null
+++ b/dom/bindings/crashtests/769464.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<script>
+
+function boom()
+{
+    window.getComputedStyle(new Worker("404.js"));
+}
+
+window.addEventListener("load", boom, false);
+
+</script>
diff --git a/dom/bindings/crashtests/crashtests.list b/dom/bindings/crashtests/crashtests.list
new file mode 100644
index 00000000000..cb954bd91fc
--- /dev/null
+++ b/dom/bindings/crashtests/crashtests.list
@@ -0,0 +1 @@
+asserts-if(cocoaWidget,0-1) load 769464.html
diff --git a/js/xpconnect/src/XPCQuickStubs.cpp b/js/xpconnect/src/XPCQuickStubs.cpp
index 3cb3e69c7a5..b5fc28851b6 100644
--- a/js/xpconnect/src/XPCQuickStubs.cpp
+++ b/js/xpconnect/src/XPCQuickStubs.cpp
@@ -752,6 +752,11 @@ castNative(JSContext *cx,
         QITableEntry *entries;
         js::Class* clasp = js::GetObjectClass(cur);
         if (dom::IsDOMClass(clasp)) {
+            dom::DOMJSClass* domClass = dom::DOMJSClass::FromJSClass(clasp);
+            if (!domClass->mDOMObjectIsISupports) {
+                *pThisRef = nsnull;
+                return NS_ERROR_ILLEGAL_VALUE;
+            }
             native = dom::UnwrapDOMObject<nsISupports>(cur);
             entries = nsnull;
         } else if (dom::binding::instanceIsProxy(cur)) {
diff --git a/testing/crashtest/crashtests.list b/testing/crashtest/crashtests.list
index deb9afb5e13..5b7db0ece73 100644
--- a/testing/crashtest/crashtests.list
+++ b/testing/crashtest/crashtests.list
@@ -23,6 +23,7 @@ include ../../content/media/test/crashtests/crashtests.list
 include ../../docshell/base/crashtests/crashtests.list
 
 include ../../dom/base/crashtests/crashtests.list
+include ../../dom/bindings/crashtests/crashtests.list
 include ../../dom/indexedDB/crashtests/crashtests.list
 include ../../dom/src/offline/crashtests/crashtests.list
 include ../../dom/src/jsurl/crashtests/crashtests.list