Bug 1505059 - Compartment fixes for two JSAPI functions. r=tcampbell

Differential Revision: https://phabricator.services.mozilla.com/D11089

--HG--
extra : moz-landing-system : lando

js/src/vm/ArrayBufferObject.cpp

@@ -1847,6 +1847,7 @@ JS_StealArrayBufferContents(JSContext* cx, HandleObject objArg)
 
     JSObject* obj = CheckedUnwrap(objArg);
     if (!obj) {
+        ReportAccessDenied(cx);
         return nullptr;
     }
 

js/src/vm/ArrayBufferViewObject.cpp

@@ -215,19 +215,34 @@ JS_GetArrayBufferViewData(JSObject* obj, bool* isSharedMemory, const JS::AutoReq
 }
 
 JS_FRIEND_API(JSObject*)
-JS_GetArrayBufferViewBuffer(JSContext* cx, HandleObject objArg, bool* isSharedMemory)
+JS_GetArrayBufferViewBuffer(JSContext* cx, HandleObject obj, bool* isSharedMemory)
 {
     AssertHeapIsIdle();
     CHECK_THREAD(cx);
-    cx->check(objArg);
+    cx->check(obj);
 
-    JSObject* obj = CheckedUnwrap(objArg);
-    if (!obj) {
+    JSObject* unwrappedObj = CheckedUnwrap(obj);
+    if (!unwrappedObj) {
+        ReportAccessDenied(cx);
         return nullptr;
     }
-    Rooted<ArrayBufferViewObject*> viewObject(cx, &obj->as<ArrayBufferViewObject>());
-    ArrayBufferObjectMaybeShared* buffer = ArrayBufferViewObject::bufferObject(cx, viewObject);
-    *isSharedMemory = buffer->is<SharedArrayBufferObject>();
+
+    Rooted<ArrayBufferViewObject*> unwrappedView(cx, &unwrappedObj->as<ArrayBufferViewObject>());
+    ArrayBufferObjectMaybeShared* unwrappedBuffer;
+    {
+        AutoRealm ar(cx, unwrappedObj);
+        unwrappedBuffer = ArrayBufferViewObject::bufferObject(cx, unwrappedView);
+        if (!unwrappedBuffer) {
+            return nullptr;
+        }
+    }
+    *isSharedMemory = unwrappedBuffer->is<SharedArrayBufferObject>();
+
+    RootedObject buffer(cx, unwrappedBuffer);
+    if (!cx->compartment()->wrap(cx, &buffer)) {
+        return nullptr;
+    }
+
     return buffer;
 }