Bug 654370 - Initialize bp to false to avoid reading random memory. r=gal
authorBlake Kaplan <mrbkap@gmail.com>
Tue, 17 May 2011 09:25:06 +0200
changeset 69909 57ef10a3d925e3d8b7321f2720a467ee39d8c9d5
parent 69908 ece0feb51587e8a6644d1d1a9240663f3e2befc2
child 69911 8f29678aa3ace8c1f978f47599a2d3b39750d2fc
push id20142
push usercleary@mozilla.com
push dateMon, 23 May 2011 07:31:35 +0000
treeherdermozilla-central@0f9347d40121 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgal
bugs654370
milestone6.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 654370 - Initialize bp to false to avoid reading random memory. r=gal
dom/base/nsDOMClassInfo.cpp
js/src/jswrapper.cpp
js/src/xpconnect/tests/chrome/Makefile.in
js/src/xpconnect/tests/chrome/test_bug654370.xul
--- a/dom/base/nsDOMClassInfo.cpp
+++ b/dom/base/nsDOMClassInfo.cpp
@@ -6033,16 +6033,17 @@ nsDOMConstructor::Construct(nsIXPConnect
 
 nsresult
 nsDOMConstructor::HasInstance(nsIXPConnectWrappedNative *wrapper,
                               JSContext * cx, JSObject * obj,
                               const jsval &v, PRBool *bp, PRBool *_retval)
 
 {
   // No need to look these up in the hash.
+  *bp = PR_FALSE;
   if (JSVAL_IS_PRIMITIVE(v)) {
     return NS_OK;
   }
 
   JSObject *dom_obj = JSVAL_TO_OBJECT(v);
   NS_ASSERTION(dom_obj, "nsDOMConstructor::HasInstance couldn't get object");
 
   // This might not be the right object, if XPCNativeWrapping
--- a/js/src/jswrapper.cpp
+++ b/js/src/jswrapper.cpp
@@ -256,19 +256,19 @@ JSWrapper::construct(JSContext *cx, JSOb
     vp->setUndefined(); // default result if we refuse to perform this action
     const jsid id = JSID_VOID;
     GET(JSProxyHandler::construct(cx, wrapper, argc, argv, vp));
 }
 
 bool
 JSWrapper::hasInstance(JSContext *cx, JSObject *wrapper, const Value *vp, bool *bp)
 {
-    *bp = true; // default result if we refuse to perform this action
+    *bp = false; // default result if we refuse to perform this action
     const jsid id = JSID_VOID;
-    JSBool b;
+    JSBool b = JS_FALSE;
     GET(JS_HasInstance(cx, wrappedObject(wrapper), Jsvalify(*vp), &b) && Cond(b, bp));
 }
 
 JSType
 JSWrapper::typeOf(JSContext *cx, JSObject *wrapper)
 {
     return TypeOfValue(cx, ObjectValue(*wrappedObject(wrapper)));
 }
--- a/js/src/xpconnect/tests/chrome/Makefile.in
+++ b/js/src/xpconnect/tests/chrome/Makefile.in
@@ -59,16 +59,17 @@ include $(topsrcdir)/config/rules.mk
 		test_bug571849.xul \
 		test_bug601803.xul \
 		test_bug610390.xul \
 		test_bug614757.xul \
 		test_bug616992.xul \
 		test_bug618176.xul \
 		file_bug618176.xul \
 		test_bug596580.xul \
+		test_bug654370.xul \
 		$(NULL)
 
 # Disabled until this test gets updated to test the new proxy based
 # wrappers.
 #		test_wrappers-2.xul \
 
 libs:: $(_CHROME_FILES)
 	$(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/chrome/$(relativesrcdir)
new file mode 100644
--- /dev/null
+++ b/js/src/xpconnect/tests/chrome/test_bug654370.xul
@@ -0,0 +1,31 @@
+<?xml version="1.0"?>
+<?xml-stylesheet href="chrome://global/skin" type="text/css"?>
+<?xml-stylesheet href="chrome://mochikit/content/tests/SimpleTest/test.css"
+                 type="text/css"?>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=654370
+-->
+<window title="Mozilla Bug 654370"
+  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+  <script type="application/javascript"
+          src="chrome://mochikit/content/MochiKit/packed.js"></script>
+  <script type="application/javascript"
+          src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+
+  <!-- test results are displayed in the html:body -->
+  <body xmlns="http://www.w3.org/1999/xhtml">
+  <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=654370"
+     target="_blank">Mozilla Bug 654370</a>
+  </body>
+
+  <!-- test code goes here -->
+  <script type="application/javascript"><![CDATA[
+
+var Cu = Components.utils;
+var sandbox = new Cu.Sandbox(window);
+var script = "function (obj, type) { return obj instanceof type; }";
+var instanceOf = Cu.evalInSandbox(script, sandbox, "1.8", "Test", 1);
+ok(!instanceOf({}, Window), "instanceOf from the sandbox gets the right result");
+
+  ]]></script>
+</window>