Bug 1513665 - Add missing realm checks to some Array and Promise functions. r=anba

Differential Revision: https://phabricator.services.mozilla.com/D17511 --HG-- extra : moz-landing-system : lando
2024-12-01 08:42:13 +00:00 · 2019-01-24 19:22:42 +00:00 · 2019-01-24 19:22:42 +00:00 · e2fd8d6b38
commit e2fd8d6b38
parent 465dbfe030
3 changed files with 35 additions and 5 deletions
--- a/js/src/builtin/Array.cpp
+++ b/js/src/builtin/Array.cpp
@ -3677,9 +3677,13 @@ static bool ArrayFromCallArgs(JSContext* cx, CallArgs& args,
 static bool array_of(JSContext* cx, unsigned argc, Value* vp) {
  CallArgs args = CallArgsFromVp(argc, vp);

-  if (IsArrayConstructor(args.thisv()) || !IsConstructor(args.thisv())) {
-    // IsArrayConstructor(this) will usually be true in practice. This is
-    // the most common path.
+  bool isArrayConstructor =
+      IsArrayConstructor(args.thisv()) &&
+      args.thisv().toObject().nonCCWRealm() == cx->realm();
+
+  if (isArrayConstructor || !IsConstructor(args.thisv())) {
+    // isArrayConstructor will usually be true in practice. This is the most
+    // common path.
    return ArrayFromCallArgs(cx, args);
  }

--- a/js/src/builtin/Promise.cpp
+++ b/js/src/builtin/Promise.cpp
@ -1236,7 +1236,8 @@ static MOZ_MUST_USE bool NewPromiseCapability(
  // For Promise.all and Promise.race we can only optimize away the creation
  // of the GetCapabilitiesExecutor function, and directly allocate the
  // result promise instead of invoking the Promise constructor.
-  if (IsNativeFunction(cVal, PromiseConstructor)) {
+  if (IsNativeFunction(cVal, PromiseConstructor) &&
+      cVal.toObject().nonCCWRealm() == cx->realm()) {
    PromiseObject* promise;
    if (canOmitResolutionFunctions) {
      promise = CreatePromiseObjectWithoutResolutionFunctions(cx);
@ -4065,7 +4066,8 @@ static bool Promise_catch_impl(JSContext* cx, unsigned argc, Value* vp,
    return false;
  }

-  if (IsNativeFunction(thenVal, &Promise_then)) {
+  if (IsNativeFunction(thenVal, &Promise_then) &&
+      thenVal.toObject().nonCCWRealm() == cx->realm()) {
    return Promise_then_impl(cx, thisVal, onFulfilled, onRejected, args.rval(),
                             rvalUsed);
  }
--- a/js/src/jit-test/tests/realms/bug1513665.js
+++ b/js/src/jit-test/tests/realms/bug1513665.js
@ -0,0 +1,24 @@
+load(libdir + "asserts.js");
+
+var g = newGlobal();
+
+function testArrayOf() {
+    var a = Array.of.call(g.Array);
+    assertEq(a instanceof g.Array, true);
+}
+testArrayOf();
+
+function testPromiseThen() {
+    var p = Promise.resolve(0);
+    p.constructor = g.Promise;
+    var r = p.then(() => {});
+    assertEq(r instanceof g.Promise, true);
+}
+testPromiseThen();
+
+function testPromiseCatch() {
+    Boolean.prototype.then = g.Promise.prototype.then;
+    assertThrowsInstanceOf(() => Promise.prototype.catch.call(false),
+                           g.TypeError);
+}
+testPromiseCatch();