From 9efb84ea7d9a4468b5141f8315dfb91d47b9c4eb Mon Sep 17 00:00:00 2001
From: "mrbkap%gmail.com" <mrbkap%gmail.com>
Date: Fri, 14 Oct 2005 19:05:43 +0000
Subject: [PATCH] bug 311892: Add some (awful, gross) checks. r=brendan

---
 js/src/jsobj.c    | 28 ++++++++++++++++++++++++++++
 js/src/jsobj.h    |  3 +++
 js/src/jsscript.c |  7 ++++++-
 3 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/js/src/jsobj.c b/js/src/jsobj.c
index 5c1f4d5c668..1d131efe965 100644
--- a/js/src/jsobj.c
+++ b/js/src/jsobj.c
@@ -1064,6 +1064,31 @@ CheckEvalAccess(JSContext *cx, JSObject *scopeobj, JSPrincipals *principals)
     return JS_TRUE;
 }
 
+JSBool
+js_CheckScopeChainValidity(JSContext *cx, JSObject *scopeobj, const char *caller)
+{
+    JSClass *clasp;
+    JSExtendedClass *xclasp;
+
+    /* XXX This is an awful gross hack. */
+    while (scopeobj) {
+        clasp = OBJ_GET_CLASS(cx, scopeobj);
+        if (clasp->flags & JSCLASS_IS_EXTENDED) {
+            xclasp = (JSExtendedClass*)clasp;
+            if (xclasp->innerObject &&
+                xclasp->innerObject(cx, scopeobj) != scopeobj) {
+                JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
+                                     JSMSG_BAD_INDIRECT_CALL, caller);
+                return JS_FALSE;
+            }
+        }
+
+        scopeobj = OBJ_GET_PARENT(cx, scopeobj);
+    }
+
+    return JS_TRUE;
+}
+
 static JSBool
 obj_eval(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
 {
@@ -1157,6 +1182,9 @@ obj_eval(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
     if (!scopeobj)
         return JS_FALSE;
 
+    if (!js_CheckScopeChainValidity(cx, scopeobj, js_eval_str))
+        return JS_FALSE;
+
     str = JSVAL_TO_STRING(argv[0]);
     if (caller) {
         file = caller->script->filename;
diff --git a/js/src/jsobj.h b/js/src/jsobj.h
index e2268d8a3aa..616394c373b 100644
--- a/js/src/jsobj.h
+++ b/js/src/jsobj.h
@@ -488,6 +488,9 @@ js_GetRequiredSlot(JSContext *cx, JSObject *obj, uint32 slot);
 extern JSBool
 js_SetRequiredSlot(JSContext *cx, JSObject *obj, uint32 slot, jsval v);
 
+extern JSBool
+js_CheckScopeChainValidity(JSContext *cx, JSObject *scopeobj, const char *caller);
+
 JS_END_EXTERN_C
 
 #endif /* jsobj_h___ */
diff --git a/js/src/jsscript.c b/js/src/jsscript.c
index 66549fdcb93..23134e75f5a 100644
--- a/js/src/jsscript.c
+++ b/js/src/jsscript.c
@@ -64,6 +64,8 @@
 
 #if JS_HAS_SCRIPT_OBJECT
 
+static const char js_script_exec[] = "Script.prototype.exec";
+
 #if JS_HAS_TOSOURCE
 static JSBool
 script_toSource(JSContext *cx, JSObject *obj, uintN argc, jsval *argv,
@@ -310,6 +312,9 @@ script_exec(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
     if (!scopeobj)
         return JS_FALSE;
 
+    if (!js_CheckScopeChainValidity(cx, scopeobj, js_script_exec))
+        return JS_FALSE;
+
     /* Belt-and-braces: check that this script object has access to scopeobj. */
     principals = script->principals;
     rt = cx->runtime;
@@ -319,7 +324,7 @@ script_exec(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
             !principals->subsume(principals, scopePrincipals)) {
             JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
                                  JSMSG_BAD_INDIRECT_CALL,
-                                 "Script.prototype.exec");
+                                 js_script_exec);
             return JS_FALSE;
         }
     }