Bug 726502 - nsDeviceMotion::DeviceMotionChanged may index out of bou…

…nds mWindowListeners array. r=smaug a=akeybl
mozilla · Mar 9, 2012 · 8474f67 · 8474f67
1 parent 2fe7e85
commit 8474f67
Showing 1 changed file with 17 additions and 8 deletions.
diff --git a/dom/system/nsDeviceMotion.cpp b/dom/system/nsDeviceMotion.cpp
@@ -199,12 +199,15 @@ NS_IMETHODIMP nsDeviceMotion::RemoveListener(nsIDeviceMotionListener *aListener)
 
 NS_IMETHODIMP nsDeviceMotion::AddWindowListener(nsIDOMWindow *aWindow)
 {
+  if (mWindowListeners.IndexOf(aWindow) != NoIndex)
+      return NS_OK;
+
   if (mStarted == false) {
     mStarted = true;
     Startup();
   }
-  if (mWindowListeners.IndexOf(aWindow) == NoIndex)
-    mWindowListeners.AppendElement(aWindow);
+
+  mWindowListeners.AppendElement(aWindow);
   return NS_OK;
 }
 
@@ -224,28 +227,34 @@ nsDeviceMotion::DeviceMotionChanged(PRUint32 type, double x, double y, double z)
   if (!mEnabled)
     return NS_ERROR_NOT_INITIALIZED;
 
-  for (PRUint32 i = mListeners.Count(); i > 0 ; ) {
+  nsCOMArray<nsIDeviceMotionListener> listeners = mListeners;
+  for (PRUint32 i = listeners.Count(); i > 0 ; ) {
     --i;
     nsRefPtr<nsDeviceMotionData> a = new nsDeviceMotionData(type, x, y, z);
-    mListeners[i]->OnMotionChange(a);
+    listeners[i]->OnMotionChange(a);
+  }
+
+  nsCOMArray<nsIDOMWindow> windowListeners;
+  for (PRUint32 i = 0; i < mWindowListeners.Length(); i++) {
+    windowListeners.AppendObject(mWindowListeners[i]);
   }
 
-  for (PRUint32 i = mWindowListeners.Length(); i > 0 ; ) {
+  for (PRUint32 i = windowListeners.Count(); i > 0 ; ) {
     --i;
 
     // check to see if this window is in the background.  if
     // it is, don't send any device motion to it.
-    nsCOMPtr<nsPIDOMWindow> pwindow = do_QueryInterface(mWindowListeners[i]);
+    nsCOMPtr<nsPIDOMWindow> pwindow = do_QueryInterface(windowListeners[i]);
     if (!pwindow ||
         !pwindow->GetOuterWindow() ||
         pwindow->GetOuterWindow()->IsBackground())
       continue;
 
     nsCOMPtr<nsIDOMDocument> domdoc;
-    mWindowListeners[i]->GetDocument(getter_AddRefs(domdoc));
+    windowListeners[i]->GetDocument(getter_AddRefs(domdoc));
 
     if (domdoc) {
-      nsCOMPtr<nsIDOMEventTarget> target = do_QueryInterface(mWindowListeners[i]);
+      nsCOMPtr<nsIDOMEventTarget> target = do_QueryInterface(windowListeners[i]);
       if (type == nsIDeviceMotionData::TYPE_ACCELERATION)
         FireDOMMotionEvent(domdoc, target, x, y, z);
       else if (type == nsIDeviceMotionData::TYPE_ORIENTATION)