From 4083a9abf76058d35f0277dd6857478fc6715137 Mon Sep 17 00:00:00 2001
From: Gaming4JC <g4jc@hyperbola.info>
Date: Mon, 20 Jan 2020 19:50:19 -0500
Subject: Bug 1396620 - Part 2: Fix compartment mismatch crash when doing old
 prototype swizzling for custom element

Tag UXP Issue #1344
---
 dom/base/Element.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/dom/base/Element.cpp b/dom/base/Element.cpp
index e77b43b86..c8467e036 100644
--- a/dom/base/Element.cpp
+++ b/dom/base/Element.cpp
@@ -482,6 +482,10 @@ Element::WrapObject(JSContext *aCx, JS::Handle<JSObject*> aGivenProto)
                                          data->GetCustomElementType(), &customProto);
       if (customProto &&
           NodePrincipal()->SubsumesConsideringDomain(nsContentUtils::ObjectPrincipal(customProto))) {
+        // The custom element prototype could be in different compartment.
+        if (!JS_WrapObject(aCx, &customProto)) {
+          return nullptr;
+        }
         // Just go ahead and create with the right proto up front.  Set
         // customProto to null to flag that we don't need to do any post-facto
         // proto fixups here.
-- 
cgit v1.2.3