forked from mirrors/gecko-dev
		
	
		
			
				
	
	
		
			373 lines
		
	
	
	
		
			13 KiB
		
	
	
	
		
			C++
		
	
	
	
	
	
			
		
		
	
	
			373 lines
		
	
	
	
		
			13 KiB
		
	
	
	
		
			C++
		
	
	
	
	
	
| /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 | |
| /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 | |
| /* This Source Code Form is subject to the terms of the Mozilla Public
 | |
|  * License, v. 2.0. If a copy of the MPL was not distributed with this
 | |
|  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 | |
| 
 | |
| #include "mozilla/dom/ClonedErrorHolder.h"
 | |
| 
 | |
| #include "mozilla/dom/BindingUtils.h"
 | |
| #include "mozilla/dom/ClonedErrorHolderBinding.h"
 | |
| #include "mozilla/dom/DOMException.h"
 | |
| #include "mozilla/dom/DOMExceptionBinding.h"
 | |
| #include "mozilla/dom/Exceptions.h"
 | |
| #include "mozilla/dom/StructuredCloneTags.h"
 | |
| #include "mozilla/dom/ToJSValue.h"
 | |
| #include "jsapi.h"
 | |
| #include "jsfriendapi.h"
 | |
| #include "js/StructuredClone.h"
 | |
| #include "nsReadableUtils.h"
 | |
| #include "xpcpublic.h"
 | |
| 
 | |
| using namespace mozilla;
 | |
| using namespace mozilla::dom;
 | |
| 
 | |
| // static
 | |
| UniquePtr<ClonedErrorHolder> ClonedErrorHolder::Constructor(
 | |
|     const GlobalObject& aGlobal, JS::Handle<JSObject*> aError,
 | |
|     ErrorResult& aRv) {
 | |
|   return Create(aGlobal.Context(), aError, aRv);
 | |
| }
 | |
| 
 | |
| // static
 | |
| UniquePtr<ClonedErrorHolder> ClonedErrorHolder::Create(
 | |
|     JSContext* aCx, JS::Handle<JSObject*> aError, ErrorResult& aRv) {
 | |
|   UniquePtr<ClonedErrorHolder> ceh(new ClonedErrorHolder());
 | |
|   ceh->Init(aCx, aError, aRv);
 | |
|   if (aRv.Failed()) {
 | |
|     return nullptr;
 | |
|   }
 | |
|   return ceh;
 | |
| }
 | |
| 
 | |
| ClonedErrorHolder::ClonedErrorHolder()
 | |
|     : mName(VoidCString()),
 | |
|       mMessage(VoidCString()),
 | |
|       mFilename(VoidCString()),
 | |
|       mSourceLine(VoidCString()) {}
 | |
| 
 | |
| void ClonedErrorHolder::Init(JSContext* aCx, JS::Handle<JSObject*> aError,
 | |
|                              ErrorResult& aRv) {
 | |
|   JS::Rooted<JSObject*> stack(aCx);
 | |
| 
 | |
|   if (JSErrorReport* err = JS_ErrorFromException(aCx, aError)) {
 | |
|     mType = Type::JSError;
 | |
|     if (err->message()) {
 | |
|       mMessage = err->message().c_str();
 | |
|     }
 | |
|     if (err->filename) {
 | |
|       mFilename = err->filename.c_str();
 | |
|     }
 | |
|     if (err->linebuf()) {
 | |
|       AppendUTF16toUTF8(
 | |
|           nsDependentSubstring(err->linebuf(), err->linebufLength()),
 | |
|           mSourceLine);
 | |
|       mTokenOffset = err->tokenOffset();
 | |
|     }
 | |
|     mLineNumber = err->lineno;
 | |
|     mColumn = err->column;
 | |
|     mErrorNumber = err->errorNumber;
 | |
|     mExnType = JSExnType(err->exnType);
 | |
| 
 | |
|     // Note: We don't save the souce ID here, since this object is cross-process
 | |
|     // clonable, and the source ID won't be valid in other processes.
 | |
|     // We don't store the source notes either, though for no other reason that
 | |
|     // it isn't clear that it's worth the complexity.
 | |
| 
 | |
|     stack = JS::ExceptionStackOrNull(aError);
 | |
|   } else {
 | |
|     RefPtr<DOMException> domExn;
 | |
|     RefPtr<Exception> exn;
 | |
|     if (NS_SUCCEEDED(UNWRAP_OBJECT(DOMException, aError, domExn))) {
 | |
|       mType = Type::DOMException;
 | |
|       mCode = domExn->Code();
 | |
|       exn = std::move(domExn);
 | |
|     } else if (NS_SUCCEEDED(UNWRAP_OBJECT(Exception, aError, exn))) {
 | |
|       mType = Type::Exception;
 | |
|     } else {
 | |
|       aRv.ThrowNotSupportedError(
 | |
|           "We can only clone DOM Exceptions and native JS Error objects");
 | |
|       return;
 | |
|     }
 | |
| 
 | |
|     nsAutoString str;
 | |
| 
 | |
|     exn->GetName(str);
 | |
|     CopyUTF16toUTF8(str, mName);
 | |
| 
 | |
|     exn->GetMessageMoz(str);
 | |
|     CopyUTF16toUTF8(str, mMessage);
 | |
| 
 | |
|     // Note: In DOM exceptions, filename, line number, and column number come
 | |
|     // from the stack frame, and don't need to be stored separately. mFilename,
 | |
|     // mLineNumber, and mColumn are only used for JS exceptions.
 | |
|     //
 | |
|     // We also don't serialized Exception's mThrownJSVal or mData fields, since
 | |
|     // they generally won't be serializable.
 | |
| 
 | |
|     mResult = nsresult(exn->Result());
 | |
| 
 | |
|     if (nsCOMPtr<nsIStackFrame> frame = exn->GetLocation()) {
 | |
|       JS::Rooted<JS::Value> value(aCx);
 | |
|       frame->GetNativeSavedFrame(&value);
 | |
|       if (value.isObject()) {
 | |
|         stack = &value.toObject();
 | |
|       }
 | |
|     }
 | |
|   }
 | |
| 
 | |
|   Maybe<JSAutoRealm> ar;
 | |
|   if (stack) {
 | |
|     ar.emplace(aCx, stack);
 | |
|   }
 | |
|   JS::Rooted<JS::Value> stackValue(aCx, JS::ObjectOrNullValue(stack));
 | |
|   mStack.Write(aCx, stackValue, aRv);
 | |
| }
 | |
| 
 | |
| bool ClonedErrorHolder::WrapObject(JSContext* aCx,
 | |
|                                    JS::Handle<JSObject*> aGivenProto,
 | |
|                                    JS::MutableHandle<JSObject*> aReflector) {
 | |
|   return ClonedErrorHolder_Binding::Wrap(aCx, this, aGivenProto, aReflector);
 | |
| }
 | |
| 
 | |
| static constexpr uint32_t kVoidStringLength = ~0;
 | |
| 
 | |
| static bool WriteStringPair(JSStructuredCloneWriter* aWriter,
 | |
|                             const nsACString& aString1,
 | |
|                             const nsACString& aString2) {
 | |
|   auto StringLength = [](const nsACString& aStr) -> uint32_t {
 | |
|     auto length = uint32_t(aStr.Length());
 | |
|     MOZ_DIAGNOSTIC_ASSERT(length != kVoidStringLength,
 | |
|                           "We should not be serializing a 4GiB string");
 | |
|     if (aStr.IsVoid()) {
 | |
|       return kVoidStringLength;
 | |
|     }
 | |
|     return length;
 | |
|   };
 | |
| 
 | |
|   return JS_WriteUint32Pair(aWriter, StringLength(aString1),
 | |
|                             StringLength(aString2)) &&
 | |
|          JS_WriteBytes(aWriter, aString1.BeginReading(), aString1.Length()) &&
 | |
|          JS_WriteBytes(aWriter, aString2.BeginReading(), aString2.Length());
 | |
| }
 | |
| 
 | |
| static bool ReadStringPair(JSStructuredCloneReader* aReader,
 | |
|                            nsACString& aString1, nsACString& aString2) {
 | |
|   auto ReadString = [&](nsACString& aStr, uint32_t aLength) {
 | |
|     if (aLength == kVoidStringLength) {
 | |
|       aStr.SetIsVoid(true);
 | |
|       return true;
 | |
|     }
 | |
|     char* data = nullptr;
 | |
|     return aLength == 0 || (aStr.GetMutableData(&data, aLength, fallible) &&
 | |
|                             JS_ReadBytes(aReader, data, aLength));
 | |
|   };
 | |
| 
 | |
|   aString1.Truncate(0);
 | |
|   aString2.Truncate(0);
 | |
| 
 | |
|   uint32_t length1, length2;
 | |
|   return JS_ReadUint32Pair(aReader, &length1, &length2) &&
 | |
|          ReadString(aString1, length1) && ReadString(aString2, length2);
 | |
| }
 | |
| 
 | |
| bool ClonedErrorHolder::WriteStructuredClone(JSContext* aCx,
 | |
|                                              JSStructuredCloneWriter* aWriter,
 | |
|                                              StructuredCloneHolder* aHolder) {
 | |
|   auto& data = mStack.BufferData();
 | |
|   return JS_WriteUint32Pair(aWriter, SCTAG_DOM_CLONED_ERROR_OBJECT, 0) &&
 | |
|          WriteStringPair(aWriter, mName, mMessage) &&
 | |
|          WriteStringPair(aWriter, mFilename, mSourceLine) &&
 | |
|          JS_WriteUint32Pair(aWriter, mLineNumber,
 | |
|                             *mColumn.addressOfValueForTranscode()) &&
 | |
|          JS_WriteUint32Pair(aWriter, mTokenOffset, mErrorNumber) &&
 | |
|          JS_WriteUint32Pair(aWriter, uint32_t(mType), uint32_t(mExnType)) &&
 | |
|          JS_WriteUint32Pair(aWriter, mCode, uint32_t(mResult)) &&
 | |
|          JS_WriteUint32Pair(aWriter, data.Size(),
 | |
|                             JS_STRUCTURED_CLONE_VERSION) &&
 | |
|          data.ForEachDataChunk([&](const char* aData, size_t aSize) {
 | |
|            return JS_WriteBytes(aWriter, aData, aSize);
 | |
|          });
 | |
| }
 | |
| 
 | |
| bool ClonedErrorHolder::Init(JSContext* aCx, JSStructuredCloneReader* aReader) {
 | |
|   uint32_t type, exnType, result, code;
 | |
|   if (!(ReadStringPair(aReader, mName, mMessage) &&
 | |
|         ReadStringPair(aReader, mFilename, mSourceLine) &&
 | |
|         JS_ReadUint32Pair(aReader, &mLineNumber,
 | |
|                           mColumn.addressOfValueForTranscode()) &&
 | |
|         JS_ReadUint32Pair(aReader, &mTokenOffset, &mErrorNumber) &&
 | |
|         JS_ReadUint32Pair(aReader, &type, &exnType) &&
 | |
|         JS_ReadUint32Pair(aReader, &code, &result) &&
 | |
|         mStack.ReadStructuredCloneInternal(aCx, aReader))) {
 | |
|     return false;
 | |
|   }
 | |
| 
 | |
|   if (type == uint32_t(Type::Uninitialized) || type >= uint32_t(Type::Max_) ||
 | |
|       exnType >= uint32_t(JSEXN_ERROR_LIMIT)) {
 | |
|     return false;
 | |
|   }
 | |
| 
 | |
|   mType = Type(type);
 | |
|   mExnType = JSExnType(exnType);
 | |
|   mResult = nsresult(result);
 | |
|   mCode = code;
 | |
| 
 | |
|   return true;
 | |
| }
 | |
| 
 | |
| /* static */
 | |
| JSObject* ClonedErrorHolder::ReadStructuredClone(
 | |
|     JSContext* aCx, JSStructuredCloneReader* aReader,
 | |
|     StructuredCloneHolder* aHolder) {
 | |
|   // Keep the result object rooted across the call to ClonedErrorHolder::Release
 | |
|   // to avoid a potential rooting hazard.
 | |
|   JS::Rooted<JS::Value> errorVal(aCx);
 | |
|   {
 | |
|     UniquePtr<ClonedErrorHolder> ceh(new ClonedErrorHolder());
 | |
|     if (!ceh->Init(aCx, aReader) || !ceh->ToErrorValue(aCx, &errorVal)) {
 | |
|       return nullptr;
 | |
|     }
 | |
|   }
 | |
|   return &errorVal.toObject();
 | |
| }
 | |
| 
 | |
| static JS::UniqueTwoByteChars ToNullTerminatedJSStringBuffer(
 | |
|     JSContext* aCx, const nsString& aStr) {
 | |
|   // Since nsString is null terminated, we can simply copy + 1 characters.
 | |
|   size_t nbytes = (aStr.Length() + 1) * sizeof(char16_t);
 | |
|   JS::UniqueTwoByteChars buffer(static_cast<char16_t*>(JS_malloc(aCx, nbytes)));
 | |
|   if (buffer) {
 | |
|     memcpy(buffer.get(), aStr.get(), nbytes);
 | |
|   }
 | |
|   return buffer;
 | |
| }
 | |
| 
 | |
| static bool ToJSString(JSContext* aCx, const nsACString& aStr,
 | |
|                        JS::MutableHandle<JSString*> aJSString) {
 | |
|   if (aStr.IsVoid()) {
 | |
|     aJSString.set(nullptr);
 | |
|     return true;
 | |
|   }
 | |
|   JS::Rooted<JS::Value> res(aCx);
 | |
|   if (xpc::NonVoidStringToJsval(aCx, NS_ConvertUTF8toUTF16(aStr), &res)) {
 | |
|     aJSString.set(res.toString());
 | |
|     return true;
 | |
|   }
 | |
|   return false;
 | |
| }
 | |
| 
 | |
| bool ClonedErrorHolder::ToErrorValue(JSContext* aCx,
 | |
|                                      JS::MutableHandle<JS::Value> aResult) {
 | |
|   JS::Rooted<JS::Value> stackVal(aCx);
 | |
|   JS::Rooted<JSObject*> stack(aCx);
 | |
| 
 | |
|   IgnoredErrorResult rv;
 | |
|   mStack.Read(xpc::CurrentNativeGlobal(aCx), aCx, &stackVal, rv);
 | |
|   // Note: We continue even if reading the stack fails, since we can still
 | |
|   // produce a useful error object even without a stack. That said, if decoding
 | |
|   // the stack fails, there's a pretty good chance that the rest of the message
 | |
|   // is corrupt, and there's no telling how useful the final result will
 | |
|   // actually be.
 | |
|   if (!rv.Failed() && stackVal.isObject()) {
 | |
|     stack = &stackVal.toObject();
 | |
|     // Make sure that this is really a saved frame. This mainly ensures that
 | |
|     // malicious code on the child side can't trigger a memory exploit by
 | |
|     // sending an incompatible data type, but also protects against potential
 | |
|     // issues like a cross-compartment wrapper being unexpectedly cut.
 | |
|     if (!js::IsSavedFrame(stack)) {
 | |
|       stack = nullptr;
 | |
|     }
 | |
|   }
 | |
| 
 | |
|   if (mType == Type::JSError) {
 | |
|     JS::Rooted<JSString*> filename(aCx);
 | |
|     JS::Rooted<JSString*> message(aCx);
 | |
| 
 | |
|     // For some unknown reason, we can end up with a void string in mFilename,
 | |
|     // which will cause filename to be null, which causes JS::CreateError() to
 | |
|     // crash. Make this code against robust against this by treating void
 | |
|     // strings as the empty string.
 | |
|     if (mFilename.IsVoid()) {
 | |
|       mFilename.Assign(""_ns);
 | |
|     }
 | |
| 
 | |
|     // When fuzzing, we can also end up with the message to be null,
 | |
|     // so we should handle that case as well.
 | |
|     if (mMessage.IsVoid()) {
 | |
|       mMessage.Assign(""_ns);
 | |
|     }
 | |
| 
 | |
|     if (!ToJSString(aCx, mFilename, &filename) ||
 | |
|         !ToJSString(aCx, mMessage, &message)) {
 | |
|       return false;
 | |
|     }
 | |
|     if (!JS::CreateError(aCx, mExnType, stack, filename, mLineNumber, mColumn,
 | |
|                          nullptr, message, JS::NothingHandleValue, aResult)) {
 | |
|       return false;
 | |
|     }
 | |
| 
 | |
|     if (!mSourceLine.IsVoid()) {
 | |
|       JS::Rooted<JSObject*> errObj(aCx, &aResult.toObject());
 | |
|       if (JSErrorReport* err = JS_ErrorFromException(aCx, errObj)) {
 | |
|         NS_ConvertUTF8toUTF16 sourceLine(mSourceLine);
 | |
|         // Because this string ends up being consumed as an nsDependentString
 | |
|         // in nsXPCComponents_Utils::ReportError, this needs to be a null
 | |
|         // terminated string.
 | |
|         //
 | |
|         // See Bug 1699569.
 | |
|         if (mTokenOffset >= sourceLine.Length()) {
 | |
|           // Corrupt data, leave linebuf unset.
 | |
|         } else if (JS::UniqueTwoByteChars buffer =
 | |
|                        ToNullTerminatedJSStringBuffer(aCx, sourceLine)) {
 | |
|           err->initOwnedLinebuf(buffer.release(), sourceLine.Length(),
 | |
|                                 mTokenOffset);
 | |
|         } else {
 | |
|           // Just ignore OOM and continue if the string copy failed.
 | |
|           JS_ClearPendingException(aCx);
 | |
|         }
 | |
|       }
 | |
|     }
 | |
| 
 | |
|     return true;
 | |
|   }
 | |
| 
 | |
|   nsCOMPtr<nsIStackFrame> frame(exceptions::CreateStack(aCx, stack));
 | |
| 
 | |
|   RefPtr<Exception> exn;
 | |
|   if (mType == Type::Exception) {
 | |
|     exn = new Exception(mMessage, mResult, mName, frame, nullptr);
 | |
|   } else {
 | |
|     MOZ_ASSERT(mType == Type::DOMException);
 | |
|     exn = new DOMException(mResult, mMessage, mName, mCode, frame);
 | |
|   }
 | |
| 
 | |
|   return ToJSValue(aCx, exn, aResult);
 | |
| }
 | |
| 
 | |
| bool ClonedErrorHolder::Holder::ReadStructuredCloneInternal(
 | |
|     JSContext* aCx, JSStructuredCloneReader* aReader) {
 | |
|   uint32_t length;
 | |
|   uint32_t version;
 | |
|   if (!JS_ReadUint32Pair(aReader, &length, &version)) {
 | |
|     return false;
 | |
|   }
 | |
|   if (length % 8 != 0) {
 | |
|     return false;
 | |
|   }
 | |
| 
 | |
|   JSStructuredCloneData data(mStructuredCloneScope);
 | |
|   while (length) {
 | |
|     size_t size;
 | |
|     char* buffer = data.AllocateBytes(length, &size);
 | |
|     if (!buffer || !JS_ReadBytes(aReader, buffer, size)) {
 | |
|       return false;
 | |
|     }
 | |
|     length -= size;
 | |
|   }
 | |
| 
 | |
|   mBuffer = MakeUnique<JSAutoStructuredCloneBuffer>(
 | |
|       mStructuredCloneScope, &StructuredCloneHolder::sCallbacks, this);
 | |
|   mBuffer->adopt(std::move(data), version, &StructuredCloneHolder::sCallbacks);
 | |
|   return true;
 | |
| }
 | 
