Bug 1048330 - Null-check the XBL scope in more places. r=smaug, a=sledru
--- a/dom/bindings/BindingUtils.h
+++ b/dom/bindings/BindingUtils.h
@@ -1405,16 +1405,17 @@ WrapNativeParent(JSContext* cx, T* p, ns
// If useXBLScope is true, it means that the canonical reflector for this
// native object should live in the XBL scope.
if (xpc::IsInContentXBLScope(parent)) {
return parent;
}
JS::Rooted<JSObject*> rootedParent(cx, parent);
JS::Rooted<JSObject*> xblScope(cx, xpc::GetXBLScope(cx, rootedParent));
+ NS_ENSURE_TRUE(xblScope, nullptr);
JSAutoCompartment ac(cx, xblScope);
if (NS_WARN_IF(!JS_WrapObject(cx, &rootedParent))) {
return nullptr;
}
return rootedParent;
}
--- a/dom/xbl/nsBindingManager.cpp
+++ b/dom/xbl/nsBindingManager.cpp
@@ -640,16 +640,17 @@ nsBindingManager::GetBindingImplementati
// content in order to view the full array of methods defined in the
// binding, some of which may not be exposed on the prototype of
// untrusted content.
//
// If there's no separate XBL scope, or if the reflector itself lives in
// the XBL scope, we'll end up with the global of the reflector, and this
// will all be a no-op.
JS::Rooted<JSObject*> xblScope(cx, xpc::GetXBLScopeOrGlobal(cx, jsobj));
+ NS_ENSURE_TRUE(xblScope, NS_ERROR_UNEXPECTED);
JSAutoCompartment ac(cx, xblScope);
bool ok = JS_WrapObject(cx, &jsobj);
NS_ENSURE_TRUE(ok, NS_ERROR_OUT_OF_MEMORY);
MOZ_ASSERT_IF(js::IsWrapper(jsobj), xpc::IsXrayWrapper(jsobj));
nsresult rv = xpConnect->WrapJSAggregatedToNative(aContent, cx,
jsobj, aIID, aResult);
if (NS_FAILED(rv))
--- a/dom/xbl/nsXBLBinding.cpp
+++ b/dom/xbl/nsXBLBinding.cpp
@@ -921,16 +921,17 @@ GetOrCreateMapEntryForPrototype(JSContex
// to content prototypes), and the other for class objects that live in the
// XBL scope (prototyped to cross-compartment-wrapped content prototypes).
const char* name = xpc::IsInContentXBLScope(proto) ? "__ContentClassObjectMap__"
: "__XBLClassObjectMap__";
// Now, enter the XBL scope, since that's where we need to operate, and wrap
// the proto accordingly.
JS::Rooted<JSObject*> scope(cx, xpc::GetXBLScopeOrGlobal(cx, proto));
+ NS_ENSURE_TRUE(scope, nullptr);
JS::Rooted<JSObject*> wrappedProto(cx, proto);
JSAutoCompartment ac(cx, scope);
if (!JS_WrapObject(cx, &wrappedProto)) {
return nullptr;
}
// Grab the appropriate WeakMap.
JS::Rooted<JSObject*> map(cx, GetOrCreateClassObjectMap(cx, scope, name));
@@ -976,16 +977,17 @@ nsXBLBinding::DoInitJSClass(JSContext *c
// Note that, now that NAC reflectors are created in the XBL scope, the
// reflector is not necessarily same-compartment with the document. So we'll
// end up creating a separate instance of the oddly-named XBL class object
// and defining it as a property on the XBL scope's global. This works fine,
// but we need to make sure never to assume that the the reflector and
// prototype are same-compartment with the bound document.
JS::Rooted<JSObject*> global(cx, js::GetGlobalForObjectCrossCompartment(obj));
JS::Rooted<JSObject*> xblScope(cx, xpc::GetXBLScopeOrGlobal(cx, global));
+ NS_ENSURE_TRUE(xblScope, NS_ERROR_UNEXPECTED);
JS::Rooted<JSObject*> parent_proto(cx);
if (!JS_GetPrototype(cx, obj, &parent_proto)) {
return NS_ERROR_FAILURE;
}
// Get the map entry for the parent prototype. In the one-off case that the
// parent prototype is null, we somewhat hackily just use the WeakMap itself