From be3cedb1a9b266c15cc010d1de767b44d98a0a54 Mon Sep 17 00:00:00 2001
From: Peter Van der Beken <peterv@propagandism.org>
Date: Mon, 16 Jul 2012 16:52:59 +0200
Subject: [PATCH] Fix for bug 769464 (Check mDOMObjectIsISupports when
 unwrapping). r=bz.

--HG--
extra : rebase_source : 1bdf15c06e0e1e89a877a0f74300bf212de5b60e
---
 dom/bindings/crashtests/769464.html     | 11 +++++++++++
 dom/bindings/crashtests/crashtests.list |  1 +
 js/xpconnect/src/XPCQuickStubs.cpp      |  5 +++++
 testing/crashtest/crashtests.list       |  1 +
 4 files changed, 18 insertions(+)
 create mode 100644 dom/bindings/crashtests/769464.html
 create mode 100644 dom/bindings/crashtests/crashtests.list

diff --git a/dom/bindings/crashtests/769464.html b/dom/bindings/crashtests/769464.html
new file mode 100644
index 000000000000..84d6dbc08b46
--- /dev/null
+++ b/dom/bindings/crashtests/769464.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<script>
+
+function boom()
+{
+    window.getComputedStyle(new Worker("404.js"));
+}
+
+window.addEventListener("load", boom, false);
+
+</script>
diff --git a/dom/bindings/crashtests/crashtests.list b/dom/bindings/crashtests/crashtests.list
new file mode 100644
index 000000000000..c4d5695d7428
--- /dev/null
+++ b/dom/bindings/crashtests/crashtests.list
@@ -0,0 +1 @@
+load 769464.html
diff --git a/js/xpconnect/src/XPCQuickStubs.cpp b/js/xpconnect/src/XPCQuickStubs.cpp
index 3cb3e69c7a55..b5fc28851b69 100644
--- a/js/xpconnect/src/XPCQuickStubs.cpp
+++ b/js/xpconnect/src/XPCQuickStubs.cpp
@@ -752,6 +752,11 @@ castNative(JSContext *cx,
         QITableEntry *entries;
         js::Class* clasp = js::GetObjectClass(cur);
         if (dom::IsDOMClass(clasp)) {
+            dom::DOMJSClass* domClass = dom::DOMJSClass::FromJSClass(clasp);
+            if (!domClass->mDOMObjectIsISupports) {
+                *pThisRef = nsnull;
+                return NS_ERROR_ILLEGAL_VALUE;
+            }
             native = dom::UnwrapDOMObject<nsISupports>(cur);
             entries = nsnull;
         } else if (dom::binding::instanceIsProxy(cur)) {
diff --git a/testing/crashtest/crashtests.list b/testing/crashtest/crashtests.list
index deb9afb5e13d..5b7db0ece736 100644
--- a/testing/crashtest/crashtests.list
+++ b/testing/crashtest/crashtests.list
@@ -23,6 +23,7 @@ include ../../content/media/test/crashtests/crashtests.list
 include ../../docshell/base/crashtests/crashtests.list
 
 include ../../dom/base/crashtests/crashtests.list
+include ../../dom/bindings/crashtests/crashtests.list
 include ../../dom/indexedDB/crashtests/crashtests.list
 include ../../dom/src/offline/crashtests/crashtests.list
 include ../../dom/src/jsurl/crashtests/crashtests.list