From e13d43ac6a75637abca6564ba2d8810c5bf99ace Mon Sep 17 00:00:00 2001
From: Cameron Kaiser <classilla@floodgap.com>
Date: Fri, 22 Sep 2017 09:10:30 -0700
Subject: [PATCH] #433: M1395598 M1389974 M1396570 M1384801

---
 dom/storage/DOMStorageDBThread.cpp            |  5 ++++-
 dom/storage/DOMStorageIPC.cpp                 |  7 ++++++-
 js/src/jsarray.cpp                            |  6 +++---
 js/xpconnect/wrappers/XrayWrapper.cpp         |  4 ++--
 .../signaling/src/sdp/sipcc/sdp_base64.c      | 19 ++++++++++++++-----
 5 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/dom/storage/DOMStorageDBThread.cpp b/dom/storage/DOMStorageDBThread.cpp
index e3e3ff1a9..a98e31499 100644
--- a/dom/storage/DOMStorageDBThread.cpp
+++ b/dom/storage/DOMStorageDBThread.cpp
@@ -859,7 +859,10 @@ DOMStorageDBThread::DBOperation::Perform(DOMStorageDBThread* aThread)
       }
     }
 
-    mCache->LoadDone(NS_OK);
+    // The loop condition's call to ExecuteStep() may have terminated because
+    // !NS_SUCCEEDED(), we need an early return to cover that case.  This also
+    // covers success cases as well, but that's inductively safe.
+    NS_ENSURE_SUCCESS(rv, rv);
     break;
   }
 
diff --git a/dom/storage/DOMStorageIPC.cpp b/dom/storage/DOMStorageIPC.cpp
index 665a49c01..4b13fc490 100644
--- a/dom/storage/DOMStorageIPC.cpp
+++ b/dom/storage/DOMStorageIPC.cpp
@@ -443,6 +443,7 @@ public:
   virtual bool LoadItem(const nsAString& aKey, const nsString& aValue)
   {
     // Called on the aCache background thread
+    MOZ_ASSERT(!mLoaded);
     if (mLoaded) {
       return false;
     }
@@ -457,8 +458,12 @@ public:
   {
     // Called on the aCache background thread
     MonitorAutoLock monitor(mMonitor);
+    MOZ_ASSERT(!mLoaded && mRv);
     mLoaded = true;
-    *mRv = aRv;
+    if (mRv) {
+      *mRv = aRv;
+      mRv = nullptr;
+    }
     monitor.Notify();
   }
 
diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp
index 4b274cfdb..daba74dd0 100644
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -984,7 +984,7 @@ ArrayJoinDenseKernel(JSContext* cx, SeparatorOp sepOp, HandleObject obj, uint32_
         if (!CheckForInterrupt(cx))
             return DenseElementResult::Failure;
 
-        const Value& elem = GetBoxedOrUnboxedDenseElement<Type>(obj, *numProcessed);
+        Value elem = GetBoxedOrUnboxedDenseElement<Type>(obj, *numProcessed);
 
         if (elem.isString()) {
             if (!sb.append(elem.toString()))
@@ -3690,10 +3690,10 @@ bool
 js::ArrayInfo(JSContext* cx, unsigned argc, Value* vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
-    JSObject* obj;
+    RootedObject obj(cx);
 
     for (unsigned i = 0; i < args.length(); i++) {
-        RootedValue arg(cx, args[i]);
+        HandleValue arg = args[i];
 
         UniquePtr<char[], JS::FreePolicy> bytes =
             DecompileValueGenerator(cx, JSDVG_SEARCH_STACK, arg, nullptr);
diff --git a/js/xpconnect/wrappers/XrayWrapper.cpp b/js/xpconnect/wrappers/XrayWrapper.cpp
index 027869e6b..4d177ba52 100644
--- a/js/xpconnect/wrappers/XrayWrapper.cpp
+++ b/js/xpconnect/wrappers/XrayWrapper.cpp
@@ -2008,10 +2008,10 @@ RecreateLostWaivers(JSContext* cx, const JSPropertyDescriptor* orig,
         orig->value.isObject() &&
         WrapperFactory::HasWaiveXrayFlag(&orig->value.toObject());
     bool getterWasWaived =
-        (orig->attrs & JSPROP_GETTER) &&
+        (orig->attrs & JSPROP_GETTER) && orig->getter &&
         WrapperFactory::HasWaiveXrayFlag(JS_FUNC_TO_DATA_PTR(JSObject*, orig->getter));
     bool setterWasWaived =
-        (orig->attrs & JSPROP_SETTER) &&
+        (orig->attrs & JSPROP_SETTER) && orig->setter &&
         WrapperFactory::HasWaiveXrayFlag(JS_FUNC_TO_DATA_PTR(JSObject*, orig->setter));
 
     // Recreate waivers. Note that for value, we need an extra UncheckedUnwrap
diff --git a/media/webrtc/signaling/src/sdp/sipcc/sdp_base64.c b/media/webrtc/signaling/src/sdp/sipcc/sdp_base64.c
index 0cef82166..80f1eb52d 100644
--- a/media/webrtc/signaling/src/sdp/sipcc/sdp_base64.c
+++ b/media/webrtc/signaling/src/sdp/sipcc/sdp_base64.c
@@ -239,6 +239,15 @@ base64_result_t base64_encode(unsigned char *src, int src_bytes, unsigned char *
     return BASE64_SUCCESS;
 }
 
+unsigned char base64_decode_get_raw(unsigned char index)
+{
+    /* only have 128 values, MSB must not be set! */
+    if (index >= 128) {
+      return INVALID_CHAR;
+    }
+    return base64_to_raw_table[index];
+}
+
 /*
  * base64_decode
  *
@@ -280,8 +289,8 @@ base64_result_t base64_decode(unsigned char *src, int src_bytes, unsigned char *
     for (i=0; i<src_bytes; i++) {
 	cindex = src[i];
 
-	if ((cindex & 0x80) || /* only have 128 values, MSB must not be set! */
-	    ((val = base64_to_raw_table[cindex]) == INVALID_CHAR)) {
+	val = base64_decode_get_raw(cindex);
+	if (val  == INVALID_CHAR) {
 	    /* Invalid base64 character */
 	    return BASE64_BAD_DATA;
 	}
@@ -296,7 +305,7 @@ base64_result_t base64_decode(unsigned char *src, int src_bytes, unsigned char *
 	    pad_count++;
 	    if (++i<src_bytes) {
 		/* can have up to 2 pad chars */
-		if (base64_to_raw_table[src[i]] != PADDING) {
+                if (base64_decode_get_raw(src[i]) != PADDING) {
 		    return BASE64_BAD_PADDING;
 		}
 
@@ -340,7 +349,7 @@ base64_result_t base64_decode(unsigned char *src, int src_bytes, unsigned char *
 		 */
 		if ((val & 0x0F) ||
 		    (i+1>=src_bytes) ||
-		    (base64_to_raw_table[src[i+1]] != PADDING)) {
+		    (base64_decode_get_raw(src[i+1]) != PADDING)) {
 		    return BASE64_BUFFER_OVERRUN;
 		}
 	    }
@@ -363,7 +372,7 @@ base64_result_t base64_decode(unsigned char *src, int src_bytes, unsigned char *
 		 */
 		if ((val & 0x03) ||
 		    (i+1>=src_bytes) ||
-		    (base64_to_raw_table[src[i+1]] != PADDING)) {
+		    (base64_decode_get_raw(src[i+1]) != PADDING)) {
 		    return BASE64_BUFFER_OVERRUN;
 		}
 	    }