зеркало из https://github.com/mozilla/pjs.git
Fix null ptr deref crash on shortid-bearing proto-property watch (303277, r=shaver).
This commit is contained in:
brendan%mozilla.org
Родитель
a313f39659
Коммит
729d4c0f98
|
|
@ -335,7 +335,7 @@ js_watch_set(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
|
||||||
JSRuntime *rt;
|
JSRuntime *rt;
|
||||||
JSWatchPoint *wp;
|
JSWatchPoint *wp;
|
||||||
JSScopeProperty *sprop;
|
JSScopeProperty *sprop;
|
||||||
jsval userid;
|
jsval propid, userid;
|
||||||
JSScope *scope;
|
JSScope *scope;
|
||||||
JSBool ok;
|
JSBool ok;
|
||||||
|
|
||||||
|
|
@ -346,11 +346,14 @@ js_watch_set(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
|
||||||
sprop = wp->sprop;
|
sprop = wp->sprop;
|
||||||
if (wp->object == obj && SPROP_USERID(sprop) == id) {
|
if (wp->object == obj && SPROP_USERID(sprop) == id) {
|
||||||
JS_LOCK_OBJ(cx, obj);
|
JS_LOCK_OBJ(cx, obj);
|
||||||
userid = SPROP_USERID(sprop);
|
propid = ID_TO_VALUE(sprop->id);
|
||||||
|
userid = (sprop->flags & SPROP_HAS_SHORTID)
|
||||||
|
? INT_TO_JSVAL(sprop->shortid)
|
||||||
|
: propid;
|
||||||
scope = OBJ_SCOPE(obj);
|
scope = OBJ_SCOPE(obj);
|
||||||
JS_UNLOCK_OBJ(cx, obj);
|
JS_UNLOCK_OBJ(cx, obj);
|
||||||
HoldWatchPoint(wp);
|
HoldWatchPoint(wp);
|
||||||
ok = wp->handler(cx, obj, userid,
|
ok = wp->handler(cx, obj, propid,
|
||||||
SPROP_HAS_VALID_SLOT(sprop, scope)
|
SPROP_HAS_VALID_SLOT(sprop, scope)
|
||||||
? OBJ_GET_SLOT(cx, obj, wp->sprop->slot)
|
? OBJ_GET_SLOT(cx, obj, wp->sprop->slot)
|
||||||
: JSVAL_VOID,
|
: JSVAL_VOID,
|
||||||
|
|
@ -475,7 +478,8 @@ JS_SetWatchPoint(JSContext *cx, JSObject *obj, jsval id,
|
||||||
/* Clone the prototype property so we can watch the right object. */
|
/* Clone the prototype property so we can watch the right object. */
|
||||||
jsval value;
|
jsval value;
|
||||||
JSPropertyOp getter, setter;
|
JSPropertyOp getter, setter;
|
||||||
uintN attrs;
|
uintN attrs, flags;
|
||||||
|
intN shortid;
|
||||||
|
|
||||||
if (OBJ_IS_NATIVE(pobj)) {
|
if (OBJ_IS_NATIVE(pobj)) {
|
||||||
value = SPROP_HAS_VALID_SLOT(sprop, OBJ_SCOPE(pobj))
|
value = SPROP_HAS_VALID_SLOT(sprop, OBJ_SCOPE(pobj))
|
||||||
|
|
@ -484,18 +488,23 @@ JS_SetWatchPoint(JSContext *cx, JSObject *obj, jsval id,
|
||||||
getter = sprop->getter;
|
getter = sprop->getter;
|
||||||
setter = sprop->setter;
|
setter = sprop->setter;
|
||||||
attrs = sprop->attrs;
|
attrs = sprop->attrs;
|
||||||
|
flags = sprop->flags;
|
||||||
|
shortid = sprop->shortid;
|
||||||
} else {
|
} else {
|
||||||
if (!OBJ_GET_PROPERTY(cx, pobj, id, &value)) {
|
if (!OBJ_GET_PROPERTY(cx, pobj, id, &value) ||
|
||||||
|
!OBJ_GET_ATTRIBUTES(cx, pobj, id, prop, &attrs)) {
|
||||||
OBJ_DROP_PROPERTY(cx, pobj, prop);
|
OBJ_DROP_PROPERTY(cx, pobj, prop);
|
||||||
return JS_FALSE;
|
return JS_FALSE;
|
||||||
}
|
}
|
||||||
getter = setter = JS_PropertyStub;
|
getter = setter = NULL;
|
||||||
attrs = JSPROP_ENUMERATE;
|
flags = 0;
|
||||||
|
shortid = 0;
|
||||||
}
|
}
|
||||||
OBJ_DROP_PROPERTY(cx, pobj, prop);
|
OBJ_DROP_PROPERTY(cx, pobj, prop);
|
||||||
|
|
||||||
if (!js_DefineProperty(cx, obj, propid, value, getter, setter, attrs,
|
/* Recall that obj is native, whether or not pobj is native. */
|
||||||
&prop)) {
|
if (!js_DefineNativeProperty(cx, obj, propid, value, getter, setter,
|
||||||
|
attrs, flags, shortid, &prop)) {
|
||||||
return JS_FALSE;
|
return JS_FALSE;
|
||||||
}
|
}
|
||||||
sprop = (JSScopeProperty *) prop;
|
sprop = (JSScopeProperty *) prop;
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче