Bug 1370752: Part 1 - Enter the correct target compartment when creating structured clone holder. r?aswan
MozReview-Commit-ID: AoDsocd3vPu
--- a/dom/base/StructuredCloneBlob.cpp
+++ b/dom/base/StructuredCloneBlob.cpp
@@ -22,28 +22,35 @@ namespace dom {
StructuredCloneBlob::StructuredCloneBlob()
: StructuredCloneHolder(CloningSupported, TransferringNotSupported,
StructuredCloneScope::DifferentProcess)
{};
/* static */ already_AddRefed<StructuredCloneBlob>
StructuredCloneBlob::Constructor(GlobalObject& aGlobal, JS::HandleValue aValue,
- JS::HandleObject aTargetGlobal,
- ErrorResult& aRv)
+ JS::HandleObject aTargetGlobal,
+ ErrorResult& aRv)
{
JSContext* cx = aGlobal.Context();
RefPtr<StructuredCloneBlob> holder = new StructuredCloneBlob();
Maybe<JSAutoCompartment> ac;
JS::RootedValue value(cx, aValue);
if (aTargetGlobal) {
- ac.emplace(cx, aTargetGlobal);
+ JS::RootedObject targetGlobal(cx, js::CheckedUnwrap(aTargetGlobal));
+ if (!targetGlobal) {
+ js::ReportAccessDenied(cx);
+ aRv.NoteJSContextException(cx);
+ return nullptr;
+ }
+
+ ac.emplace(cx, targetGlobal);
if (!JS_WrapValue(cx, &value)) {
aRv.NoteJSContextException(cx);
return nullptr;
}
} else if (value.isObject()) {
JS::RootedObject obj(cx, js::CheckedUnwrap(&value.toObject()));
if (!obj) {