[IndexedDB] Ensure that strong references to newly created cursors are

kept until the DOM Binding is created.

This fixes random crashes on websites that use IndexedDB cursors.
See also BZ bug 1599420

1 files changed, 4 insertions, 2 deletions

diff --git a/dom/indexedDB/ActorsChild.cpp b/dom/indexedDB/ActorsChild.cpp
index 30dc9b6dab..85f876cdc1 100644
--- a/dom/indexedDB/ActorsChild.cpp
+++ b/dom/indexedDB/ActorsChild.cpp
@@ -3291,6 +3291,10 @@ BackgroundCursorChild::HandleResponse(
   auto& responses =
     const_cast<nsTArray<ObjectStoreCursorResponse>&>(aResponses);
 
+  // If a new cursor is created, we need to keep a reference to it until the
+  // ResultHelper creates a DOM Binding.
+  RefPtr<IDBCursor> newCursor;
+
   for (ObjectStoreCursorResponse& response : responses) {
     StructuredCloneReadInfo cloneReadInfo(Move(response.cloneInfo()));
     cloneReadInfo.mDatabase = mTransaction->Database();
@@ -3300,8 +3304,6 @@ BackgroundCursorChild::HandleResponse(
                                     nullptr,
                                     cloneReadInfo.mFiles);
 
-    RefPtr<IDBCursor> newCursor;
-
     if (mCursor) {
       mCursor->Reset(Move(response.key()), Move(cloneReadInfo));
     } else {