From 748441ac464585eb4feb0b291852496ac6c596ca Mon Sep 17 00:00:00 2001
From: Aaron Klotz <aklotz@mozilla.com>
Date: Fri, 21 Jul 2017 16:16:16 -0600
Subject: [PATCH] Bug 1383260: Fix problems with unmarshaling handler-wrapped
 object when in its original apartment; r=jimm

---
 ipc/mscom/Objref.cpp      |  8 ++++++++
 ipc/mscom/oop/Handler.cpp | 12 +++++++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/ipc/mscom/Objref.cpp b/ipc/mscom/Objref.cpp
index bb180adcf580..dc4b59b60831 100644
--- a/ipc/mscom/Objref.cpp
+++ b/ipc/mscom/Objref.cpp
@@ -242,6 +242,14 @@ StripHandlerFromOBJREF(NotNull<IStream*> aStream)
     return false;
   }
 
+  // The difference between a OBJREF_STANDARD and an OBJREF_HANDLER is
+  // sizeof(CLSID), so we'll zero out the remaining bytes.
+  CLSID zeroClsid = {0};
+  hr = aStream->Write(&zeroClsid, sizeof(CLSID), &bytesWritten);
+  if (FAILED(hr) || bytesWritten != sizeof(CLSID)) {
+    return false;
+  }
+
   return true;
 }
 
diff --git a/ipc/mscom/oop/Handler.cpp b/ipc/mscom/oop/Handler.cpp
index 7cbfe348b041..d7d01df1aad5 100644
--- a/ipc/mscom/oop/Handler.cpp
+++ b/ipc/mscom/oop/Handler.cpp
@@ -141,6 +141,10 @@ Handler::GetMarshalSizeMax(REFIID riid, void* pv, DWORD dwDestContext,
   hr = mUnmarshal->GetMarshalSizeMax(marshalAs, unkToMarshal.get(),
                                      dwDestContext, pvDestContext,
                                      mshlflags, pSize);
+
+#if defined(MOZ_MSCOM_REMARSHAL_NO_HANDLER)
+  return hr;
+#else
   if (FAILED(hr)) {
     return hr;
   }
@@ -157,6 +161,7 @@ Handler::GetMarshalSizeMax(REFIID riid, void* pv, DWORD dwDestContext,
 
   *pSize += payloadSize;
   return S_OK;
+#endif // defined(MOZ_MSCOM_REMARSHAL_NO_HANDLER)
 }
 
 HRESULT
@@ -235,17 +240,14 @@ Handler::UnmarshalInterface(IStream* pStm, REFIID riid, void** ppv)
     return hr;
   }
 
-  hr = ReadHandlerPayload(pStm, unmarshalAs);
-
   // This method may be called on the same object multiple times (as new
   // interfaces are queried off the proxy). Not all interfaces will necessarily
   // refresh the payload, so we set mHasPayload using OR to reflect that fact.
   // (Otherwise mHasPayload could be cleared and the handler would think that
   // it doesn't have a payload even though it actually does).
-  mHasPayload |= (hr == S_OK);
+  mHasPayload |= (ReadHandlerPayload(pStm, unmarshalAs) == S_OK);
 
-  // hr may be S_FALSE, but we don't want to return that
-  return SUCCEEDED(hr) ? S_OK : hr;
+  return hr;
 }
 
 HRESULT