No Issue - StructuredClone serialize and deserialize should treat back reference consistently

Backport of https://bugzilla.mozilla.org/show_bug.cgi?id=1538622
author: Basilisk-Dev <basiliskdev@protonmail.com> 2023-10-30 15:38:40 -0400
committer: Basilisk-Dev <basiliskdev@protonmail.com> 2023-10-30 15:38:40 -0400
commit: fc1697622c4086da9606f2f2b1b4886ef8f5c464 (patch)
tree: b6393c9c7253c2326a5f5a32f7492ec5d92d0c8c /js
parent: ecb8ae6aba40290bb1adb12991e5515f91f00b80 (diff)
download: uxp-fc1697622c4086da9606f2f2b1b4886ef8f5c464.tar.gz
1 files changed, 30 insertions, 2 deletions
diff --git a/js/src/vm/StructuredClone.cpp b/js/src/vm/StructuredClone.cpp
index f7b7c75965..daaaf52b92 100644
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@@ -2046,6 +2046,7 @@ bool
 JSStructuredCloneReader::startRead(MutableHandleValue vp)
 {
     uint32_t tag, data;
+    bool alreadAppended = false;
 
     if (!in.readPair(&tag, &data))
         return false;
@@ -2246,15 +2247,29 @@ JSStructuredCloneReader::startRead(MutableHandleValue vp)
                                       "unsupported type");
             return false;
         }
+
+        // callbacks->read() might read other objects from the buffer.
+        // In startWrite we always write the object itself before calling
+        // the custom function. We should do the same here to keep
+        // indexing consistent.
+        uint32_t placeholderIndex = allObjs.length();
+        Value dummy = UndefinedValue();
+        if (!allObjs.append(dummy)) {
+            return false;
+        }
+
         JSObject* obj = callbacks->read(context(), this, tag, data, closure);
         if (!obj)
             return false;
         vp.setObject(*obj);
+        allObjs[placeholderIndex].set(vp);
+        alreadAppended = true;
       }
     }
 
-    if (vp.isObject() && !allObjs.append(vp))
+    if (!alreadAppended && vp.isObject() && !allObjs.append(vp)) {
         return false;
+    }
 
     return true;
 }
@@ -2828,7 +2843,20 @@ JS_WriteTypedArray(JSStructuredCloneWriter* w, HandleValue v)
     MOZ_ASSERT(v.isObject());
     assertSameCompartment(w->context(), v);
     RootedObject obj(w->context(), &v.toObject());
-    return w->writeTypedArray(obj);
+
+    // startWrite can write everything, thus we should check here
+    // and report error if the user passes a wrong type.
+    if (!JS_IsTypedArrayObject(obj)) {
+        JS_ReportErrorNumberASCII(w->context(), GetErrorMessage, nullptr,
+                                  JSMSG_SC_BAD_SERIALIZED_DATA,
+                                  "expected type array");
+        return false;
+    }
+
+    // We should use startWrite instead of writeTypedArray, because
+    // typed array is an object, we should add it to the |memory|
+    // (allObjs) list. Directly calling writeTypedArray won't add it.
+    return w->startWrite(v);
 }
 
 JS_PUBLIC_API(bool)
author	Basilisk-Dev <basiliskdev@protonmail.com>	2023-10-30 15:38:40 -0400
committer	Basilisk-Dev <basiliskdev@protonmail.com>	2023-10-30 15:38:40 -0400
commit	fc1697622c4086da9606f2f2b1b4886ef8f5c464 (patch)
tree	b6393c9c7253c2326a5f5a32f7492ec5d92d0c8c /js
parent	ecb8ae6aba40290bb1adb12991e5515f91f00b80 (diff)
download	uxp-fc1697622c4086da9606f2f2b1b4886ef8f5c464.tar.gz