Bug 1325877 - Make sure we're working in the compartment of the objects we're working with. r=bz, a=lizzard
authorJeff Walden <jwalden@mit.edu>
Wed, 28 Dec 2016 15:26:14 -0600
changeset 353293 21d3da6e4f050cc63e475055e2b0157aba1eecc4
parent 353292 998a1b4c7613fecced53454b195d3ee29f7b1a0e
child 353294 a6f6cf4180980a74083cc03f611cc510eb15b5cc
push id6795
push userjlund@mozilla.com
push dateMon, 23 Jan 2017 14:19:46 +0000
treeherdermozilla-esr52@76101b503191 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz, lizzard
bugs1325877
milestone52.0a2
Bug 1325877 - Make sure we're working in the compartment of the objects we're working with. r=bz, a=lizzard
dom/base/nsDOMClassInfo.cpp
--- a/dom/base/nsDOMClassInfo.cpp
+++ b/dom/base/nsDOMClassInfo.cpp
@@ -1353,16 +1353,22 @@ nsDOMConstructor::HasInstance(nsIXPConne
 
     if (!desc.object() || desc.hasGetterOrSetter() || !desc.value().isObject()) {
       return NS_OK;
     }
 
     JS::Rooted<JSObject*> dot_prototype(cx, &desc.value().toObject());
 
     JS::Rooted<JSObject*> proto(cx, dom_obj);
+    JSAutoCompartment ac(cx, proto);
+
+    if (!JS_WrapObject(cx, &dot_prototype)) {
+      return NS_ERROR_UNEXPECTED;
+    }
+
     for (;;) {
       if (!JS_GetPrototype(cx, proto, &proto)) {
         return NS_ERROR_UNEXPECTED;
       }
       if (!proto) {
         break;
       }
       if (proto == dot_prototype) {