Bug 963738 - Fix an exact rooting hazard false positive in NPAPI; r=bsmedberg
authorTerrence Cole <terrence@mozilla.com>
Wed, 29 Jan 2014 09:31:09 -0800
changeset 182407 7400843fb1c0b718c60172c77644f61f0a49dfb6
parent 182406 35c57af24bf5e00d401ed2699379ad606e6ef6df
child 182408 0a5dbede3e832db0c528a6baf210cfa0fbdf59aa
push id3343
push userffxbld
push dateMon, 17 Mar 2014 21:55:32 +0000
treeherdermozilla-beta@2f7d3415f79f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbsmedberg
bugs963738
milestone29.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 963738 - Fix an exact rooting hazard false positive in NPAPI; r=bsmedberg
dom/plugins/base/nsJSNPRuntime.cpp
--- a/dom/plugins/base/nsJSNPRuntime.cpp
+++ b/dom/plugins/base/nsJSNPRuntime.cpp
@@ -630,61 +630,42 @@ doInvoke(NPObject *npobj, NPIdentifier m
     if (!GetProperty(cx, npjsobj->mJSObj, method, &fv) ||
         ::JS_TypeOfValue(cx, fv) != JSTYPE_FUNCTION) {
       return false;
     }
   } else {
     fv = OBJECT_TO_JSVAL(npjsobj->mJSObj);
   }
 
-  JS::Value jsargs_buf[8];
-  JS::Value *jsargs = jsargs_buf;
-
-  if (argCount > (sizeof(jsargs_buf) / sizeof(JS::Value))) {
-    // Our stack buffer isn't large enough to hold all arguments,
-    // malloc a buffer.
-    jsargs = (JS::Value *)PR_Malloc(argCount * sizeof(JS::Value));
-    if (!jsargs) {
+  // Convert args
+  JS::AutoValueVector jsargs(cx);
+  if (!jsargs.reserve(argCount)) {
       ::JS_ReportOutOfMemory(cx);
-
       return false;
-    }
+  }
+  for (uint32_t i = 0; i < argCount; ++i) {
+    jsargs.infallibleAppend(NPVariantToJSVal(npp, cx, args + i));
   }
 
   JS::Rooted<JS::Value> v(cx);
-  bool ok;
-
-  {
-    JS::AutoArrayRooter tvr(cx, 0, jsargs);
+  bool ok = false;
 
-    // Convert args
-    for (uint32_t i = 0; i < argCount; ++i) {
-      jsargs[i] = NPVariantToJSVal(npp, cx, args + i);
-      tvr.changeLength(i + 1);
-    }
-
-    if (ctorCall) {
-      JSObject *newObj =
-        ::JS_New(cx, npjsobj->mJSObj, argCount, jsargs);
+  if (ctorCall) {
+    JSObject *newObj =
+      ::JS_New(cx, npjsobj->mJSObj, jsargs.length(), jsargs.begin());
 
-      if (newObj) {
-        v = OBJECT_TO_JSVAL(newObj);
-        ok = true;
-      } else {
-        ok = false;
-      }
-    } else {
-      ok = ::JS_CallFunctionValue(cx, npjsobj->mJSObj, fv, argCount, jsargs, v.address());
+    if (newObj) {
+      v.setObject(*newObj);
+      ok = true;
     }
-
+  } else {
+    ok = ::JS_CallFunctionValue(cx, npjsobj->mJSObj, fv, jsargs.length(),
+                                jsargs.begin(), v.address());
   }
 
-  if (jsargs != jsargs_buf)
-    PR_Free(jsargs);
-
   if (ok)
     ok = JSValToNPVariant(npp, cx, v, result);
 
   return ok;
 }
 
 // static
 bool