From 62e70b06f52852c2d0a44503d7da1553d4279da7 Mon Sep 17 00:00:00 2001 From: Bobby Holley Date: Wed, 6 Aug 2014 23:32:22 -0400 Subject: [PATCH] Bug 1042436 - Always enter the wrapper's compartment before invoking SilentFailure. r=gabor --- js/xpconnect/wrappers/XrayWrapper.cpp | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/js/xpconnect/wrappers/XrayWrapper.cpp b/js/xpconnect/wrappers/XrayWrapper.cpp index f20143bffe3a..918ec37a438b 100644 --- a/js/xpconnect/wrappers/XrayWrapper.cpp +++ b/js/xpconnect/wrappers/XrayWrapper.cpp @@ -612,8 +612,10 @@ bool JSXrayTraits::getOwnPropertyFromTargetIfSafe(JSContext *cx, return true; // Disallow accessor properties. - if (desc.hasGetterOrSetter()) + if (desc.hasGetterOrSetter()) { + JSAutoCompartment ac(cx, wrapper); return SilentFailure(cx, id, "Property has accessor"); + } // Apply extra scrutiny to objects. if (desc.value().isObject()) { @@ -621,17 +623,23 @@ bool JSXrayTraits::getOwnPropertyFromTargetIfSafe(JSContext *cx, JSAutoCompartment ac(cx, propObj); // Disallow non-subsumed objects. - if (!AccessCheck::subsumes(target, propObj)) + if (!AccessCheck::subsumes(target, propObj)) { + JSAutoCompartment ac(cx, wrapper); return SilentFailure(cx, id, "Value not same-origin with target"); + } // Disallow non-Xrayable objects. XrayType xrayType = GetXrayType(propObj); - if (xrayType == NotXray || xrayType == XrayForOpaqueObject) + if (xrayType == NotXray || xrayType == XrayForOpaqueObject) { + JSAutoCompartment ac(cx, wrapper); return SilentFailure(cx, id, "Value not Xrayable"); + } // Disallow callables. - if (JS_ObjectIsCallable(cx, propObj)) + if (JS_ObjectIsCallable(cx, propObj)) { + JSAutoCompartment ac(cx, wrapper); return SilentFailure(cx, id, "Value is callable"); + } } // Disallow any property that shadows something on its (Xrayed)