Bug 1396620 - Part 2: Fix compartment mismatch crash when doing old prototype swizzling for custom element; draft
authorEdgar Chen <echen@mozilla.com>
Mon, 16 Oct 2017 10:14:56 +0800
changeset 699464 bf815c6b7d4e01c1fe1df9ed4276768078bb0698
parent 699463 4c3195e3e777805291a8a28c601a16b879d3de9e
child 699495 e57c8aa44e05f9c403073c8af4bd003585917502
child 700386 afb82948af579e10e45689fdaa1acc4bed1d14da
child 700393 acb4245e6e6c1c8392758fd75dbfc60737fdecb4
child 701060 213430316ea6d4cdf08ce33041a4eb0e112f5c9d
push id89578
push userechen@mozilla.com
push dateFri, 17 Nov 2017 07:07:45 +0000
bugs1396620
milestone59.0a1
Bug 1396620 - Part 2: Fix compartment mismatch crash when doing old prototype swizzling for custom element; MozReview-Commit-ID: GMxikyKJ54A
dom/base/Element.cpp
--- a/dom/base/Element.cpp
+++ b/dom/base/Element.cpp
@@ -519,16 +519,20 @@ Element::WrapObject(JSContext *aCx, JS::
     // Custom element prototype swizzling.
     CustomElementData* data = GetCustomElementData();
     if (data) {
       // If this is a registered custom element then fix the prototype.
       nsContentUtils::GetCustomPrototype(OwnerDoc(), NodeInfo()->NamespaceID(),
                                          data->GetCustomElementType(), &customProto);
       if (customProto &&
           NodePrincipal()->SubsumesConsideringDomain(nsContentUtils::ObjectPrincipal(customProto))) {
+        // The custom element prototype could be in different compartment.
+        if (!JS_WrapObject(aCx, &customProto)) {
+          return nullptr;
+        }
         // Just go ahead and create with the right proto up front.  Set
         // customProto to null to flag that we don't need to do any post-facto
         // proto fixups here.
         givenProto = customProto;
         customProto = nullptr;
       }
     }
   }