Bug 689118 - Protect against JSVAL_IS_OBJECT(null) being true. r=luke a=akeybl
--- a/js/jsd/jsd_val.c
+++ b/js/jsd/jsd_val.c
@@ -223,17 +223,17 @@ jsd_GetValueString(JSDContext* jsdc, JSD
if(JSVAL_IS_STRING(jsdval->val)) {
jsdval->string = JSVAL_TO_STRING(jsdval->val);
return jsdval->string;
}
JS_BeginRequest(cx);
/* Objects call JS_ValueToString in their own compartment. */
- scopeObj = JSVAL_IS_OBJECT(jsdval->val) ? JSVAL_TO_OBJECT(jsdval->val) : jsdc->glob;
+ scopeObj = !JSVAL_IS_PRIMITIVE(jsdval->val) ? JSVAL_TO_OBJECT(jsdval->val) : jsdc->glob;
call = JS_EnterCrossCompartmentCall(cx, scopeObj);
if(!call) {
JS_EndRequest(cx);
return NULL;
}
exceptionState = JS_SaveExceptionState(cx);
string = JS_ValueToString(cx, jsdval->val);