From cf3c80ffac92ffba9c03a7d6b7c64dc158f140d1 Mon Sep 17 00:00:00 2001
From: Till Schneidereit <till@tillschneidereit.net>
Date: Wed, 20 Jul 2016 04:58:00 -0400
Subject: [PATCH] Bug 1287335 - Properly handle failure to unwrap
 cross-compartment wrappers in Promise-related DebuggerObject accessors.
 r=fitzgen

---
 js/src/vm/Debugger.cpp | 36 ++++++++++++++++++++++++++++--------
 js/src/vm/Debugger.h   |  3 ++-
 2 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/js/src/vm/Debugger.cpp b/js/src/vm/Debugger.cpp
index ff8f2abd799d5..cce681afd9c80 100644
--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@@ -8006,6 +8006,10 @@ DebuggerObject::checkThis(JSContext* cx, const CallArgs& args, const char* fnnam
 #define THIS_DEBUGOBJECT_PROMISE(cx, argc, vp, fnname, args, obj)                   \
    THIS_DEBUGOBJECT_REFERENT(cx, argc, vp, fnname, args, obj);                      \
    obj = CheckedUnwrap(obj);                                                        \
+   if (!obj) {                                                                      \
+       JS_ReportError(cx, "Permission denied to access object");                    \
+       return false;                                                                \
+   }                                                                                \
    if (!obj->is<PromiseObject>()) {                                                 \
        JS_ReportErrorNumber(cx, GetErrorMessage, nullptr, JSMSG_NOT_EXPECTED_TYPE,  \
                             "Debugger", "Promise", obj->getClass()->name);          \
@@ -8016,6 +8020,10 @@ DebuggerObject::checkThis(JSContext* cx, const CallArgs& args, const char* fnnam
 #define THIS_DEBUGOBJECT_OWNER_PROMISE(cx, argc, vp, fnname, args, dbg, obj)        \
    THIS_DEBUGOBJECT_OWNER_REFERENT(cx, argc, vp, fnname, args, dbg, obj);           \
    obj = CheckedUnwrap(obj);                                                        \
+   if (!obj) {                                                                      \
+       JS_ReportError(cx, "Permission denied to access object");                    \
+       return false;                                                                \
+   }                                                                                \
    if (!obj->is<PromiseObject>()) {                                                 \
        JS_ReportErrorNumber(cx, GetErrorMessage, nullptr, JSMSG_NOT_EXPECTED_TYPE,  \
                             "Debugger", "Promise", obj->getClass()->name);          \
@@ -8329,7 +8337,11 @@ DebuggerObject::isPromiseGetter(JSContext* cx, unsigned argc, Value* vp)
 {
     THIS_DEBUGOBJECT(cx, argc, vp, "get isPromise", args, object)
 
-    args.rval().setBoolean(object->isPromise());
+    bool result;
+    if (!DebuggerObject::isPromise(cx, object, result))
+      return false;
+
+    args.rval().setBoolean(result);
     return true;
 }
 
@@ -9008,14 +9020,22 @@ DebuggerObject::isGlobal() const
     return referent()->is<GlobalObject>();
 }
 
-bool
-DebuggerObject::isPromise() const
+/* static */ bool
+DebuggerObject::isPromise(JSContext* cx, Handle<DebuggerObject*> object,
+                          bool& result)
 {
-    JSObject* obj = referent();
-    if (IsCrossCompartmentWrapper(obj))
-        obj = CheckedUnwrap(obj);
+    JSObject* referent = object->referent();
+    if (IsCrossCompartmentWrapper(referent)) {
+        referent = CheckedUnwrap(referent);
+
+        if (!referent) {
+            JS_ReportError(cx, "Permission denied to access object");
+            return false;
+        }
+      }
 
-    return obj->is<PromiseObject>();
+    result = referent->is<PromiseObject>();
+    return true;
 }
 
 /* static */ bool
@@ -10110,7 +10130,7 @@ DebuggerEnvironment::getNames(JSContext* cx, Handle<DebuggerEnvironment*> enviro
         if (JSID_IS_ATOM(id) && IsIdentifier(JSID_TO_ATOM(id))) {
             if (!result.append(id))
                 return false;
-        } 
+        }
     }
 
     return true;
diff --git a/js/src/vm/Debugger.h b/js/src/vm/Debugger.h
index 31071b6aee1df..5268aa79935c5 100644
--- a/js/src/vm/Debugger.h
+++ b/js/src/vm/Debugger.h
@@ -1242,6 +1242,8 @@ class DebuggerObject : public NativeObject
                                                MutableHandleObject result);
     static MOZ_MUST_USE bool unwrap(JSContext* cx, Handle<DebuggerObject*> object,
                                     MutableHandle<DebuggerObject*> result);
+    static MOZ_MUST_USE bool isPromise(JSContext* cx, Handle<DebuggerObject*> object,
+                                       bool& result);
 
     // Infallible properties
     bool isCallable() const;
@@ -1250,7 +1252,6 @@ class DebuggerObject : public NativeObject
     bool isBoundFunction() const;
     bool isArrowFunction() const;
     bool isGlobal() const;
-    bool isPromise() const;
     JSAtom* name() const;
     JSAtom* displayName() const;