Bug 763225. Take a bit more care about our compartments in SetJSEventListenerToJsval. r=smaug,bholley

content/events/src/nsEventListenerManager.cpp

@@ -1034,6 +1034,19 @@ nsEventListenerManager::SetJSEventListenerToJsval(nsIAtom *aEventName,
     return NS_OK;
   }
 
+  // Now ensure that we're working in the compartment of aScope from now on.
+  JSAutoEnterCompartment ac;
+  if (!ac.enter(cx, aScope)) {
+    return NS_ERROR_UNEXPECTED;
+  }
+
+  // Rewrap the handler into the new compartment, if needed.
+  jsval tempVal = v;
+  if (!JS_WrapValue(cx, &tempVal)) {
+    return NS_ERROR_UNEXPECTED;
+  }
+  handler = &tempVal.toObject();
+
   // We might not have a script context, e.g. if we're setting a listener
   // on a dead Window.
   nsIScriptContext *context = nsJSUtils::GetStaticScriptContext(cx, aScope);

content/events/src/nsEventListenerManager.h

@@ -259,7 +259,9 @@ public:
   /**
    * Set the "inline" event listener for aEventName to |v|.  This
    * might actually remove the event listener, depending on the value
-   * of |v|.
+   * of |v|.  Note that on entry to this function cx and aScope might
+   * not be in the same compartment, though cx and v are guaranteed to
+   * be in the same compartment.
    */
   nsresult SetJSEventListenerToJsval(nsIAtom *aEventName, JSContext *cx,
                                      JSObject *aScope, const jsval &v);