From a571ba51b09ca304ae14be4220fbb7d620df88ec Mon Sep 17 00:00:00 2001
From: "mrbkap%gmail.com"
 <mrbkap%gmail.com@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Thu, 22 Jan 2009 03:04:00 +0000
Subject: [PATCH] Bug 473709 - Protect |str| across the call to js_NewRegExp.
 r=jwalden a=dveditz. Thanks to Gary Kwong for helping backport the patch!

git-svn-id: svn://10.0.0.236/trunk@255885 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/js/src/jsregexp.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/mozilla/js/src/jsregexp.c b/mozilla/js/src/jsregexp.c
index 6da14d48f61..2cea2dc2931 100644
--- a/mozilla/js/src/jsregexp.c
+++ b/mozilla/js/src/jsregexp.c
@@ -4308,10 +4308,12 @@ js_NewRegExpObject(JSContext *cx, JSTokenStream *ts,
     str = js_NewStringCopyN(cx, chars, length);
     if (!str)
         return NULL;
-    re = js_NewRegExp(cx, ts,  str, flags, JS_FALSE);
-    if (!re)
-        return NULL;
     JS_PUSH_TEMP_ROOT_STRING(cx, str, &tvr);
+    re = js_NewRegExp(cx, ts,  str, flags, JS_FALSE);
+    if (!re) {
+        JS_POP_TEMP_ROOT(cx, &tvr);
+        return NULL;
+    }
     obj = js_NewObject(cx, &js_RegExpClass, NULL, NULL, 0);
     if (!obj || !JS_SetPrivate(cx, obj, re)) {
         js_DestroyRegExp(cx, re);