Bug 1082547 - Copy sandbox option strings instead of adopting them. r=bholley
authorGuilherme Goncalves <guilherme.p.gonc@gmail.com>
Tue, 14 Oct 2014 05:58:00 +0200
changeset 210514 56d729d290c72aa489f82dff3f8df3c00acb7be4
parent 210513 422ce62454c6c0d6f27aeca4e5efdc1a5c407914
child 210515 032d902ad7a9762d456d4c257f91118086ca534e
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
reviewersbholley
bugs1082547
milestone36.0a1
Bug 1082547 - Copy sandbox option strings instead of adopting them. r=bholley Strings coming from JS objects are allocated using js_malloc, which may potentially use a separate heap, but nsCString is unaware of that, and tries to free its underlying buffer using a regular free(); because of that, we need to copy the string into a separate buffer allocated from the correct heap.
js/xpconnect/src/Sandbox.cpp
--- a/js/xpconnect/src/Sandbox.cpp
+++ b/js/xpconnect/src/Sandbox.cpp
@@ -1236,17 +1236,18 @@ OptionsBase::ParseString(const char *nam
 
     if (!value.isString()) {
         JS_ReportError(mCx, "Expected a string value for property %s", name);
         return false;
     }
 
     char *tmp = JS_EncodeString(mCx, value.toString());
     NS_ENSURE_TRUE(tmp, false);
-    prop.Adopt(tmp, strlen(tmp));
+    prop.Assign(tmp, strlen(tmp));
+    js_free(tmp);
     return true;
 }
 
 /*
  * Helper that tries to get a string property from the options object.
  */
 bool
 OptionsBase::ParseString(const char *name, nsString &prop)