зеркало из https://github.com/mozilla/gecko-dev.git
Bug 831076 - Outerize during same-compartment wrapping so that JS_Wrap* is guaranteed to outerize. r=mrbkap
This commit is contained in:
Родитель
be3d55b211
Коммит
54511231e6
|
@ -980,10 +980,6 @@ XPCConvert::NativeInterface2JSObject(XPCLazyCallContext& lccx,
|
||||||
if (!JS_WrapObject(ccx, &flat))
|
if (!JS_WrapObject(ccx, &flat))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
// Outerize if necessary.
|
|
||||||
flat = JS_ObjectToOuterObject(cx, flat);
|
|
||||||
MOZ_ASSERT(flat, "bad outer object hook!");
|
|
||||||
|
|
||||||
*d = OBJECT_TO_JSVAL(flat);
|
*d = OBJECT_TO_JSVAL(flat);
|
||||||
|
|
||||||
if (dest) {
|
if (dest) {
|
||||||
|
|
|
@ -472,10 +472,17 @@ WrapperFactory::Rewrap(JSContext *cx, JSObject *existing, JSObject *obj,
|
||||||
JSObject *
|
JSObject *
|
||||||
WrapperFactory::WrapForSameCompartment(JSContext *cx, JSObject *obj)
|
WrapperFactory::WrapForSameCompartment(JSContext *cx, JSObject *obj)
|
||||||
{
|
{
|
||||||
|
MOZ_ASSERT(js::IsObjectInContextCompartment(obj, cx));
|
||||||
|
|
||||||
// NB: The contract of WrapForSameCompartment says that |obj| may or may not
|
// NB: The contract of WrapForSameCompartment says that |obj| may or may not
|
||||||
// be a security wrapper. These checks implicitly handle the security
|
// be a security wrapper. These checks implicitly handle the security
|
||||||
// wrapper case.
|
// wrapper case.
|
||||||
|
|
||||||
|
// Outerize if necessary. This, in combination with the check in
|
||||||
|
// PrepareForUnwrapping, means that calling JS_Wrap* always outerizes.
|
||||||
|
obj = JS_ObjectToOuterObject(cx, obj);
|
||||||
|
NS_ENSURE_TRUE(obj, nullptr);
|
||||||
|
|
||||||
if (dom::GetSameCompartmentWrapperForDOMBinding(obj)) {
|
if (dom::GetSameCompartmentWrapperForDOMBinding(obj)) {
|
||||||
return obj;
|
return obj;
|
||||||
}
|
}
|
||||||
|
|
Загрузка…
Ссылка в новой задаче