From 2e22601d0059fddea55339363416290f4365afdd Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Wed, 23 Oct 2019 11:29:38 +0200 Subject: Avoid following the prototype chain No longer follow the value's prototype chain when creating index updates in IndexedDB. --- dom/indexedDB/IDBObjectStore.cpp | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/dom/indexedDB/IDBObjectStore.cpp b/dom/indexedDB/IDBObjectStore.cpp index f86c619a72..cbac308947 100644 --- a/dom/indexedDB/IDBObjectStore.cpp +++ b/dom/indexedDB/IDBObjectStore.cpp @@ -1114,7 +1114,7 @@ IDBObjectStore::AppendIndexUpdateInfo( } bool isArray; - if (!JS_IsArrayObject(aCx, val, &isArray)) { + if (NS_WARN_IF(!JS_IsArrayObject(aCx, val, &isArray))) { IDB_REPORT_INTERNAL_ERR(); return NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR; } @@ -1127,8 +1127,25 @@ IDBObjectStore::AppendIndexUpdateInfo( } for (uint32_t arrayIndex = 0; arrayIndex < arrayLength; arrayIndex++) { - JS::Rooted arrayItem(aCx); - if (NS_WARN_IF(!JS_GetOwnElement(aCx, array, arrayIndex, &arrayItem))) { + JS::RootedId indexId(aCx); + if (NS_WARN_IF(!JS_IndexToId(aCx, arrayIndex, &indexId))) { + IDB_REPORT_INTERNAL_ERR(); + return NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR; + } + + bool hasOwnProperty; + if (NS_WARN_IF( + !JS_HasOwnPropertyById(aCx, array, indexId, &hasOwnProperty))) { + IDB_REPORT_INTERNAL_ERR(); + return NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR; + } + + if (!hasOwnProperty) { + continue; + } + + JS::RootedValue arrayItem(aCx); + if (NS_WARN_IF(!JS_GetPropertyById(aCx, array, indexId, &arrayItem))) { IDB_REPORT_INTERNAL_ERR(); return NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR; } -- cgit v1.2.3