Bug 1082547 - Copy sandbox option strings instead of adopting them. r=bholley
Strings coming from JS objects are allocated using js_malloc, which may
potentially use a separate heap, but nsCString is unaware of that, and
tries to free its underlying buffer using a regular free(); because of
that, we need to copy the string into a separate buffer allocated from
the correct heap.
--- a/js/xpconnect/src/Sandbox.cpp
+++ b/js/xpconnect/src/Sandbox.cpp
@@ -1236,17 +1236,18 @@ OptionsBase::ParseString(const char *nam
if (!value.isString()) {
JS_ReportError(mCx, "Expected a string value for property %s", name);
return false;
}
char *tmp = JS_EncodeString(mCx, value.toString());
NS_ENSURE_TRUE(tmp, false);
- prop.Adopt(tmp, strlen(tmp));
+ prop.Assign(tmp, strlen(tmp));
+ js_free(tmp);
return true;
}
/*
* Helper that tries to get a string property from the options object.
*/
bool
OptionsBase::ParseString(const char *name, nsString &prop)