Bug 1042436 - Always enter the wrapper's compartment before invoking SilentFailure. r=gabor
authorBobby Holley <bobbyholley@gmail.com>
Sat, 09 Aug 2014 00:39:32 -0400
changeset 208277 08c5b02a125e
parent 208276 53c7aceaf1a8
child 208278 84bf42618416
push id3798
push userbobbyholley@gmail.com
push date2014-08-09 04:40 +0000
treeherdermozilla-beta@c405f720f587 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgabor
bugs1042436
milestone32.0
Bug 1042436 - Always enter the wrapper's compartment before invoking SilentFailure. r=gabor
js/xpconnect/wrappers/XrayWrapper.cpp
--- a/js/xpconnect/wrappers/XrayWrapper.cpp
+++ b/js/xpconnect/wrappers/XrayWrapper.cpp
@@ -446,27 +446,31 @@ bool JSXrayTraits::getOwnPropertyFromTar
     if (!JS_GetOwnPropertyDescriptorById(cx, target, id, &desc))
         return false;
 
     // If the property doesn't exist at all, we're done.
     if (!desc.object())
         return true;
 
     // Disallow accessor properties.
-    if (desc.hasGetterOrSetter())
+    if (desc.hasGetterOrSetter()) {
+        JSAutoCompartment ac(cx, wrapper);
         return SilentFailure(cx, id, "Property has accessor");
+    }
 
     // Apply extra scrutiny to objects.
     if (desc.value().isObject()) {
         RootedObject propObj(cx, js::UncheckedUnwrap(&desc.value().toObject()));
         JSAutoCompartment ac(cx, propObj);
 
         // Disallow non-subsumed objects.
-        if (!AccessCheck::subsumes(target, propObj))
+        if (!AccessCheck::subsumes(target, propObj)) {
+            JSAutoCompartment ac(cx, wrapper);
             return SilentFailure(cx, id, "Value not same-origin with target");
+        }
 
         // Disallow non-Xrayable objects.
         if (GetXrayType(propObj) == NotXray) {
             // Note - We're going add Xrays for Arrays/TypedArrays soon in
             // bug 987163, so we don't want to cause unnecessary compat churn
             // by making xrayedObj.arrayProp stop working temporarily, and then
             // start working again. At the same time, this is an important check,
             // and this patch wouldn't be as useful without it. So we just
@@ -474,23 +478,26 @@ bool JSXrayTraits::getOwnPropertyFromTar
             // lands.
             JSProtoKey key = IdentifyStandardInstanceOrPrototype(propObj);
             if (key != JSProto_Uint8ClampedArray &&
                 key != JSProto_Int8Array && key != JSProto_Uint8Array &&
                 key != JSProto_Int16Array && key != JSProto_Uint16Array &&
                 key != JSProto_Int32Array && key != JSProto_Uint32Array &&
                 key != JSProto_Float32Array && key != JSProto_Float64Array)
             {
+                JSAutoCompartment ac(cx, wrapper);
                 return SilentFailure(cx, id, "Value not Xrayable");
             }
         }
 
         // Disallow callables.
-        if (JS_ObjectIsCallable(cx, propObj))
+        if (JS_ObjectIsCallable(cx, propObj)) {
+            JSAutoCompartment ac(cx, wrapper);
             return SilentFailure(cx, id, "Value is callable");
+        }
     }
 
     // Disallow any property that shadows something on its (Xrayed)
     // prototype chain.
     JSAutoCompartment ac2(cx, wrapper);
     RootedObject proto(cx);
     bool foundOnProto = false;
     if (!JS_GetPrototype(cx, wrapper, &proto) ||