Bug 1396620 - Part 2: Fix compartment mismatch crash when doing old prototype swizzling for custom element; draft
authorEdgar Chen <echen@mozilla.com>
Mon, 16 Oct 2017 10:14:56 +0800
changeset 698734 447d41ce3663c9cf9b2bb21bfaeb7724ef663e6b
parent 698733 902616e114218dce3befad364590e17ae31dd5da
child 698735 8170ab8ba3ddc9abc8fa453254931078d86285ef
child 699003 7e32029d2ed51cf70fdaeb1275189a6417c5db25
push id89341
push userechen@mozilla.com
push dateThu, 16 Nov 2017 01:57:58 +0000
bugs1396620
milestone59.0a1
Bug 1396620 - Part 2: Fix compartment mismatch crash when doing old prototype swizzling for custom element; MozReview-Commit-ID: GMxikyKJ54A
dom/base/Element.cpp
--- a/dom/base/Element.cpp
+++ b/dom/base/Element.cpp
@@ -519,16 +519,20 @@ Element::WrapObject(JSContext *aCx, JS::
     // Custom element prototype swizzling.
     CustomElementData* data = GetCustomElementData();
     if (data) {
       // If this is a registered custom element then fix the prototype.
       nsContentUtils::GetCustomPrototype(OwnerDoc(), NodeInfo()->NamespaceID(),
                                          data->mType, &customProto);
       if (customProto &&
           NodePrincipal()->SubsumesConsideringDomain(nsContentUtils::ObjectPrincipal(customProto))) {
+        // The custom element prototype could be in different compartment.
+        if (!JS_WrapObject(aCx, &customProto)) {
+          return nullptr;
+        }
         // Just go ahead and create with the right proto up front.  Set
         // customProto to null to flag that we don't need to do any post-facto
         // proto fixups here.
         givenProto = customProto;
         customProto = nullptr;
       }
     }
   }