diff --git a/js/src/vm/ArrayBufferObject.cpp b/js/src/vm/ArrayBufferObject.cpp index 1a83cc450191..db6deebdf323 100644 --- a/js/src/vm/ArrayBufferObject.cpp +++ b/js/src/vm/ArrayBufferObject.cpp @@ -1847,6 +1847,7 @@ JS_StealArrayBufferContents(JSContext* cx, HandleObject objArg) JSObject* obj = CheckedUnwrap(objArg); if (!obj) { + ReportAccessDenied(cx); return nullptr; } diff --git a/js/src/vm/ArrayBufferViewObject.cpp b/js/src/vm/ArrayBufferViewObject.cpp index 82d32ff9a153..c409e92ea0b8 100644 --- a/js/src/vm/ArrayBufferViewObject.cpp +++ b/js/src/vm/ArrayBufferViewObject.cpp @@ -215,19 +215,34 @@ JS_GetArrayBufferViewData(JSObject* obj, bool* isSharedMemory, const JS::AutoReq } JS_FRIEND_API(JSObject*) -JS_GetArrayBufferViewBuffer(JSContext* cx, HandleObject objArg, bool* isSharedMemory) +JS_GetArrayBufferViewBuffer(JSContext* cx, HandleObject obj, bool* isSharedMemory) { AssertHeapIsIdle(); CHECK_THREAD(cx); - cx->check(objArg); + cx->check(obj); - JSObject* obj = CheckedUnwrap(objArg); - if (!obj) { + JSObject* unwrappedObj = CheckedUnwrap(obj); + if (!unwrappedObj) { + ReportAccessDenied(cx); return nullptr; } - Rooted viewObject(cx, &obj->as()); - ArrayBufferObjectMaybeShared* buffer = ArrayBufferViewObject::bufferObject(cx, viewObject); - *isSharedMemory = buffer->is(); + + Rooted unwrappedView(cx, &unwrappedObj->as()); + ArrayBufferObjectMaybeShared* unwrappedBuffer; + { + AutoRealm ar(cx, unwrappedObj); + unwrappedBuffer = ArrayBufferViewObject::bufferObject(cx, unwrappedView); + if (!unwrappedBuffer) { + return nullptr; + } + } + *isSharedMemory = unwrappedBuffer->is(); + + RootedObject buffer(cx, unwrappedBuffer); + if (!cx->compartment()->wrap(cx, &buffer)) { + return nullptr; + } + return buffer; }