Bug 1019761 - Fix null dialogArguments deref. r=bz
☠☠ backed out by b8e17d034a6f ☠ ☠
authorCatalin Badea <cbadea@mozilla.com>
Tue, 03 Jun 2014 14:01:00 -0400
changeset 207174 2eb0ae4b9e79dcd6ee23624f142f94a1e179391a
parent 207173 5fb57bc2a2135b27307a0aa1ca3094160d531b49
child 207175 7991c0d11413a43b39bd5dd0ee39753fc252646f
push id494
push userraliiev@mozilla.com
push dateMon, 25 Aug 2014 18:42:16 +0000
treeherdermozilla-release@a3cc3e46b571 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz
bugs1019761
milestone32.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1019761 - Fix null dialogArguments deref. r=bz
dom/base/nsGlobalWindow.cpp
dom/base/test/mochitest.ini
dom/base/test/test_dialogArguments.html
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@@ -13630,16 +13630,21 @@ JS::Value
 nsGlobalWindow::GetDialogArguments(JSContext* aCx, ErrorResult& aError)
 {
   FORWARD_TO_OUTER_OR_THROW(GetDialogArguments, (aCx, aError), aError,
                             JS::UndefinedValue());
 
   MOZ_ASSERT(IsModalContentWindow(),
              "This should only be called on modal windows!");
 
+  if (!mDialogArguments) {
+    MOZ_ASSERT(mIsClosed, "This window should be closed!");
+    return JS::UndefinedValue();
+  }
+
   // This does an internal origin check, and returns undefined if the subject
   // does not subsumes the origin of the arguments.
   JS::Rooted<JSObject*> wrapper(aCx, GetWrapper());
   JSAutoCompartment ac(aCx, wrapper);
   JS::Rooted<JS::Value> args(aCx);
   mDialogArguments->Get(aCx, wrapper, nsContentUtils::SubjectPrincipal(),
                         &args, aError);
   return args;
--- a/dom/base/test/mochitest.ini
+++ b/dom/base/test/mochitest.ini
@@ -3,45 +3,46 @@ support-files =
   audio.ogg
   iframe_messageChannel_cloning.html
   iframe_messageChannel_chrome.html
   iframe_messageChannel_pingpong.html
   iframe_messageChannel_post.html
   file_empty.html
   iframe_postMessage_solidus.html
 
-[test_Image_constructor.html]
 [test_appname_override.html]
 [test_audioWindowUtils.html]
 [test_audioNotification.html]
 [test_bug793311.html]
 [test_bug913761.html]
 [test_bug978522.html]
 [test_bug979109.html]
 [test_bug989665.html]
 [test_bug999456.html]
 [test_clearTimeoutIntervalNoArg.html]
 [test_consoleEmptyStack.html]
 [test_constructor-assignment.html]
 [test_constructor.html]
+[test_dialogArguments.html]
 [test_document.all_unqualified.html]
 [test_domcursor.html]
 [test_domrequest.html]
 [test_domwindowutils.html]
 [test_e4x_for_each.html]
 [test_error.html]
 [test_getTranslationNodes.html]
 [test_getTranslationNodes_limit.html]
 [test_gsp-qualified.html]
 [test_gsp-quirks.html]
 [test_gsp-standards.html]
 [test_getFeature_with_perm.html]
 [test_getFeature_without_perm.html]
 [test_history_document_open.html]
 [test_history_state_null.html]
+[test_Image_constructor.html]
 [test_innersize_scrollport.html]
 [test_messageChannel.html]
 [test_messageChannel_cloning.html]
 [test_messageChannel_pingpong.html]
 [test_messageChannel_post.html]
 [test_messageChannel_pref.html]
 [test_messageChannel_start.html]
 [test_messagemanager_targetchain.html]
new file mode 100644
--- /dev/null
+++ b/dom/base/test/test_dialogArguments.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+	<title>Test for Bug 1019761</title>
+	<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+	<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+
+	<meta http-equiv="content-type" content="text/html; charset=utf-8">
+</head>
+<body>
+<script type="application/javascript">
+
+/*
+	Tests whether Firefox crashes when accessing the dialogArguments property
+	of a modal window that has been closed.
+*/
+SimpleTest.waitForExplicitFinish();
+
+function openModal() {
+	showModalDialog("javascript:opener.winRef = window; \
+		window.opener.setTimeout(\'winRef.dialogArguments;\', 0);\
+		window.close();");
+
+	ok(true, "dialogArguments did not cause a crash.");
+	SimpleTest.finish();
+}
+
+window.onload = openModal;
+</script>
+</body>
+</html>