Bug 1528794 - Check clone buffer contents at runtime r=jorendorff
authorSteve Fink <sfink@mozilla.com>
Mon, 04 Mar 2019 18:28:20 +0000
changeset 520132 a9911c4882de3ee2862a563988c01dc90bc69ec5
parent 520131 8df68de5179601ea70ad1b2d73c1ec282927adc8
child 520133 ed6397d7e51a7e9084281d2a8b33b0c5e8eeedb7
push id10862
push userffxbld-merge
push dateMon, 11 Mar 2019 13:01:11 +0000
treeherdermozilla-beta@a2e7f5c935da [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjorendorff
bugs1528794
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1528794 - Check clone buffer contents at runtime r=jorendorff Differential Revision: https://phabricator.services.mozilla.com/D21817
js/src/vm/StructuredClone.cpp
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@@ -2663,17 +2663,21 @@ bool JSStructuredCloneReader::readTransf
 
   for (uint64_t i = 0; i < numTransferables; i++) {
     auto pos = in.tell();
 
     if (!in.readPair(&tag, &data)) {
       return false;
     }
 
-    MOZ_ASSERT(tag != SCTAG_TRANSFER_MAP_PENDING_ENTRY);
+    if (tag == SCTAG_TRANSFER_MAP_PENDING_ENTRY) {
+      ReportDataCloneError(cx, callbacks, JS_SCERR_TRANSFERABLE);
+      return false;
+    }
+
     RootedObject obj(cx);
 
     void* content;
     if (!in.readPtr(&content)) {
       return false;
     }
 
     uint64_t extraData;
@@ -2705,17 +2709,20 @@ bool JSStructuredCloneReader::readTransf
       auto guard = mozilla::MakeScopeExit([&] { in.seekTo(savedPos); });
       in.seekTo(pos);
       in.seekBy(static_cast<size_t>(extraData));
 
       uint32_t tag, data;
       if (!in.readPair(&tag, &data)) {
         return false;
       }
-      MOZ_ASSERT(tag == SCTAG_ARRAY_BUFFER_OBJECT);
+      if (tag != SCTAG_ARRAY_BUFFER_OBJECT) {
+        ReportDataCloneError(cx, callbacks, JS_SCERR_TRANSFERABLE);
+        return false;
+      }
       RootedValue val(cx);
       if (!readArrayBuffer(data, &val)) {
         return false;
       }
       obj = &val.toObject();
     } else {
       if (!callbacks || !callbacks->readTransfer) {
         ReportDataCloneError(cx, callbacks, JS_SCERR_TRANSFERABLE);