roytam1/palemoon27
1
0
Fork 0
mirror of https://github.com/roytam1/palemoon27.git synced 2026-05-31 15:10:06 +00:00
Code Issues Projects Releases Wiki Activity

Fix some potential rooting hazards in the NPAPI plugin interface.

Browse Source 
Found with SA.
This commit is contained in:
Pale Moon
2017-10-04 17:40:49 +02:00
committed by Roy Tam
parent e973037afa
commit f24f4a4cd0
1 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
dom/plugins/base/nsJSNPRuntime.cpp
+11 -5
View File
@@ -198,7 +198,8 @@ static bool
NPObjWrapper_Construct(JSContext *cx, unsigned argc, JS::Value *vp);
static bool
CreateNPObjectMember(NPP npp, JSContext *cx, JSObject *obj, NPObject* npobj,
CreateNPObjectMember(NPP npp, JSContext *cx,
JS::Handle<JSObject*> obj, NPObject* npobj,
JS::Handle<jsid> id, NPVariant* getPropertyResult,
JS::MutableHandle<JS::Value> vp);
@@ -1217,7 +1218,7 @@ nsJSObjWrapper::GetNewOrUsed(NPP npp, JSContext *cx, JS::Handle<JSObject*> obj)
// compartment for callers that plan to hold onto the result or do anything
// substantial with it.
static JSObject *
GetNPObjectWrapper(JSContext *cx, JSObject *aObj, bool wrapResult = true)
GetNPObjectWrapper(JSContext *cx, JS::Handle<JSObject*> aObj, bool wrapResult = true)
{
JS::Rooted<JSObject*> obj(cx, aObj);
while (obj && (obj = js::CheckedUnwrap(obj))) {
@@ -1237,8 +1238,9 @@ GetNPObjectWrapper(JSContext *cx, JSObject *aObj, bool wrapResult = true)
}
static NPObject *
GetNPObject(JSContext *cx, JSObject *obj)
GetNPObject(JSContext *cx, JS::Handle<JSObject*> aObj)
{
JS::Rooted<JSObject*> obj(cx, aObj);
obj = GetNPObjectWrapper(cx, obj, /* wrapResult = */ false);
if (!obj) {
return nullptr;
@@ -2083,7 +2085,8 @@ LookupNPP(NPObject *npobj)
}
static bool
CreateNPObjectMember(NPP npp, JSContext *cx, JSObject *obj, NPObject* npobj,
CreateNPObjectMember(NPP npp, JSContext *cx,
JS::Handle<JSObject*> aObj, NPObject* npobj,
JS::Handle<jsid> id, NPVariant* getPropertyResult,
JS::MutableHandle<JS::Value> vp)
{
@@ -2102,6 +2105,8 @@ CreateNPObjectMember(NPP npp, JSContext *cx, JSObject *obj, NPObject* npobj,
// Make sure to clear all members in case something fails here
// during initialization.
memset(memberPrivate, 0, sizeof(NPObjectMemberPrivate));
JS::Rooted<JSObject*> obj(cx, aObj);
JSObject *memobj = ::JS_NewObject(cx, &sNPObjectMemberClass);
if (!memobj) {
@@ -2209,7 +2214,8 @@ NPObjectMember_Call(JSContext *cx, unsigned argc, JS::Value *vp)
if (!memberPrivate || !memberPrivate->npobjWrapper)
return false;
NPObject *npobj = GetNPObject(cx, memberPrivate->npobjWrapper);
JS::Rooted<JSObject*> objWrapper(cx, memberPrivate->npobjWrapper);
NPObject *npobj = GetNPObject(cx, objWrapper);
if (!npobj) {
ThrowJSException(cx, "Call on invalid member object");