Bug 1370752: Part 1 - Enter the correct target compartment when creating structured clone holder. r=aswan
authorKris Maglione <maglione.k@gmail.com>
Fri, 09 Jun 2017 18:15:50 -0700
changeset 363415 5b483c5bb3d4384ec0d6efb365d9c4aa8967a3bd
parent 363414 07b5b1e2ed4b665b6f01fc8a9d98faad65df5c21
child 363416 4111a13b009fa64d890d827b956908e3aaf580e0
push id91312
push usermaglione.k@gmail.com
push dateMon, 12 Jun 2017 05:49:12 +0000
treeherdermozilla-inbound@5b483c5bb3d4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaswan
bugs1370752
milestone55.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1370752: Part 1 - Enter the correct target compartment when creating structured clone holder. r=aswan MozReview-Commit-ID: AoDsocd3vPu
dom/base/StructuredCloneBlob.cpp
--- a/dom/base/StructuredCloneBlob.cpp
+++ b/dom/base/StructuredCloneBlob.cpp
@@ -22,28 +22,35 @@ namespace dom {
 StructuredCloneBlob::StructuredCloneBlob()
     : StructuredCloneHolder(CloningSupported, TransferringNotSupported,
                             StructuredCloneScope::DifferentProcess)
 {};
 
 
 /* static */ already_AddRefed<StructuredCloneBlob>
 StructuredCloneBlob::Constructor(GlobalObject& aGlobal, JS::HandleValue aValue,
-                                      JS::HandleObject aTargetGlobal,
-                                      ErrorResult& aRv)
+                                 JS::HandleObject aTargetGlobal,
+                                 ErrorResult& aRv)
 {
   JSContext* cx = aGlobal.Context();
 
   RefPtr<StructuredCloneBlob> holder = new StructuredCloneBlob();
 
   Maybe<JSAutoCompartment> ac;
   JS::RootedValue value(cx, aValue);
 
   if (aTargetGlobal) {
-    ac.emplace(cx, aTargetGlobal);
+    JS::RootedObject targetGlobal(cx, js::CheckedUnwrap(aTargetGlobal));
+    if (!targetGlobal) {
+      js::ReportAccessDenied(cx);
+      aRv.NoteJSContextException(cx);
+      return nullptr;
+    }
+
+    ac.emplace(cx, targetGlobal);
 
     if (!JS_WrapValue(cx, &value)) {
       aRv.NoteJSContextException(cx);
       return nullptr;
     }
   } else if (value.isObject()) {
     JS::RootedObject obj(cx, js::CheckedUnwrap(&value.toObject()));
     if (!obj) {