[IndexedDB] Ensure that strong references to newly created cursors are

kept until the DOM Binding is created.

This fixes random crashes on websites that use IndexedDB cursors.
See also BZ bug 1599420

1 files changed, 4 insertions, 2 deletions

diff --git a/dom/indexedDB/ActorsChild.cpp b/dom/indexedDB/ActorsChild.cpp
index 30dc9b6da..85f876cdc 100644
--- a/dom/indexedDB/ActorsChild.cpp
+++ b/dom/indexedDB/ActorsChild.cpp
@@ -3291,6 +3291,10 @@ BackgroundCursorChild::HandleResponse(
   auto& responses =
     const_cast<nsTArray<ObjectStoreCursorResponse>&>(aResponses);
 
+  // If a new cursor is created, we need to keep a reference to it until the
+  // ResultHelper creates a DOM Binding.
+  RefPtr<IDBCursor> newCursor;
+
   for (ObjectStoreCursorResponse& response : responses) {
     StructuredCloneReadInfo cloneReadInfo(Move(response.cloneInfo()));
     cloneReadInfo.mDatabase = mTransaction->Database();
@@ -3300,8 +3304,6 @@ BackgroundCursorChild::HandleResponse(
                                     nullptr,
                                     cloneReadInfo.mFiles);
 
-    RefPtr<IDBCursor> newCursor;
-
     if (mCursor) {
       mCursor->Reset(Move(response.key()), Move(cloneReadInfo));
     } else {