Bug 1528794 - Check clone buffer contents at runtime r=jorendorff
☠☠ backed out by 689c3fe76006 ☠ ☠
authorSteve Fink <sfink@mozilla.com>
Sat, 02 Mar 2019 01:03:00 +0000
changeset 519940 0b61149893f94fcc65fe6535c55f6ef6240741db
parent 519939 c6197e7ad760cac9d691482130fa8ea72e7fd8de
child 519941 bb694b612b1ba466b71f22aa1793f7d3149ec945
push id10862
push userffxbld-merge
push dateMon, 11 Mar 2019 13:01:11 +0000
treeherdermozilla-beta@a2e7f5c935da [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjorendorff
bugs1528794
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1528794 - Check clone buffer contents at runtime r=jorendorff Differential Revision: https://phabricator.services.mozilla.com/D21817
js/src/vm/StructuredClone.cpp
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@@ -2663,17 +2663,21 @@ bool JSStructuredCloneReader::readTransf
 
   for (uint64_t i = 0; i < numTransferables; i++) {
     auto pos = in.tell();
 
     if (!in.readPair(&tag, &data)) {
       return false;
     }
 
-    MOZ_ASSERT(tag != SCTAG_TRANSFER_MAP_PENDING_ENTRY);
+    if (tag != SCTAG_TRANSFER_MAP_PENDING_ENTRY) {
+      ReportDataCloneError(cx, callbacks, JS_SCERR_TRANSFERABLE);
+      return false;
+    }
+
     RootedObject obj(cx);
 
     void* content;
     if (!in.readPtr(&content)) {
       return false;
     }
 
     uint64_t extraData;
@@ -2705,17 +2709,20 @@ bool JSStructuredCloneReader::readTransf
       auto guard = mozilla::MakeScopeExit([&] { in.seekTo(savedPos); });
       in.seekTo(pos);
       in.seekBy(static_cast<size_t>(extraData));
 
       uint32_t tag, data;
       if (!in.readPair(&tag, &data)) {
         return false;
       }
-      MOZ_ASSERT(tag == SCTAG_ARRAY_BUFFER_OBJECT);
+      if (tag != SCTAG_ARRAY_BUFFER_OBJECT) {
+        ReportDataCloneError(cx, callbacks, JS_SCERR_TRANSFERABLE);
+        return false;
+      }
       RootedValue val(cx);
       if (!readArrayBuffer(data, &val)) {
         return false;
       }
       obj = &val.toObject();
     } else {
       if (!callbacks || !callbacks->readTransfer) {
         ReportDataCloneError(cx, callbacks, JS_SCERR_TRANSFERABLE);