зеркало из https://github.com/mozilla/gecko-dev.git
Bug 831076 - Outerize during same-compartment wrapping so that JS_Wrap* is guaranteed to outerize. r=mrbkap
This commit is contained in:
Родитель
be3d55b211
Коммит
54511231e6
|
@ -980,10 +980,6 @@ XPCConvert::NativeInterface2JSObject(XPCLazyCallContext& lccx,
|
|||
if (!JS_WrapObject(ccx, &flat))
|
||||
return false;
|
||||
|
||||
// Outerize if necessary.
|
||||
flat = JS_ObjectToOuterObject(cx, flat);
|
||||
MOZ_ASSERT(flat, "bad outer object hook!");
|
||||
|
||||
*d = OBJECT_TO_JSVAL(flat);
|
||||
|
||||
if (dest) {
|
||||
|
|
|
@ -472,10 +472,17 @@ WrapperFactory::Rewrap(JSContext *cx, JSObject *existing, JSObject *obj,
|
|||
JSObject *
|
||||
WrapperFactory::WrapForSameCompartment(JSContext *cx, JSObject *obj)
|
||||
{
|
||||
MOZ_ASSERT(js::IsObjectInContextCompartment(obj, cx));
|
||||
|
||||
// NB: The contract of WrapForSameCompartment says that |obj| may or may not
|
||||
// be a security wrapper. These checks implicitly handle the security
|
||||
// wrapper case.
|
||||
|
||||
// Outerize if necessary. This, in combination with the check in
|
||||
// PrepareForUnwrapping, means that calling JS_Wrap* always outerizes.
|
||||
obj = JS_ObjectToOuterObject(cx, obj);
|
||||
NS_ENSURE_TRUE(obj, nullptr);
|
||||
|
||||
if (dom::GetSameCompartmentWrapperForDOMBinding(obj)) {
|
||||
return obj;
|
||||
}
|
||||
|
|
Загрузка…
Ссылка в новой задаче