From 09db278bed73da21fd179d83aff9c886d928aaf1 Mon Sep 17 00:00:00 2001 From: Jan de Mooij Date: Tue, 24 Jul 2018 10:00:50 +0200 Subject: [PATCH] Bug 1477705 - Stop using js::GetGlobalForObjectCrossCompartment in NPAPI code. r=bz The object could be a CCW here and we want to make it impossible to get a CCW's global. The first call here is equivalent to checking JS_IsGlobalObject and for the second one JS::CurrentGlobalOrNull(cx) preserves behavior because we wrapped the object into the current compartment. --- dom/plugins/base/nsJSNPRuntime.cpp | 3 ++- dom/plugins/base/nsNPAPIPlugin.cpp | 11 ++++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/dom/plugins/base/nsJSNPRuntime.cpp b/dom/plugins/base/nsJSNPRuntime.cpp index 4594ef73c7e2..47358e54e999 100644 --- a/dom/plugins/base/nsJSNPRuntime.cpp +++ b/dom/plugins/base/nsJSNPRuntime.cpp @@ -1904,7 +1904,8 @@ nsNPObjWrapper::OnDestroy(NPObject *npobj) } } -// Look up or create a JSObject that wraps the NPObject npobj. +// Look up or create a JSObject that wraps the NPObject npobj. The return value +// is always in the compartment of the passed-in JSContext (it might be a CCW). // static JSObject * diff --git a/dom/plugins/base/nsNPAPIPlugin.cpp b/dom/plugins/base/nsNPAPIPlugin.cpp index 48c621a63887..8097f841b8a3 100644 --- a/dom/plugins/base/nsNPAPIPlugin.cpp +++ b/dom/plugins/base/nsNPAPIPlugin.cpp @@ -1052,11 +1052,16 @@ _evaluate(NPP npp, NPObject* npobj, NPString *script, NPVariant *result) options.setFileAndLine(spec, 0); JS::Rooted rval(cx); JS::AutoObjectVector scopeChain(cx); - if (obj != js::GetGlobalForObjectCrossCompartment(obj) && - !scopeChain.append(obj)) { + if (!JS_IsGlobalObject(obj) && !scopeChain.append(obj)) { return false; } - obj = js::GetGlobalForObjectCrossCompartment(obj); + // nsNPObjWrapper::GetNewOrUsed returns an object in the current compartment + // of the JSContext (it might be a CCW). + MOZ_RELEASE_ASSERT(js::GetObjectCompartment(obj) == + js::GetContextCompartment(cx), + "nsNPObjWrapper::GetNewOrUsed must wrap its return value"); + obj = JS::CurrentGlobalOrNull(cx); + MOZ_ASSERT(obj); nsresult rv = NS_OK; { nsJSUtils::ExecutionContext exec(cx, obj);