Overlay existing taint for custom sources (#258)

* Fixes #257 to prevent losing taint information for already tainted strings
* Bugfix StringTaint -> SafeStringTaint to prevent memory leaks

js/src/builtin/String.cpp

@@ -155,13 +155,11 @@ js::str_tainted(JSContext* cx, unsigned argc, Value* vp)
   // the original value of a manually tainted string was for debugging/testing.
   TaintOperation op = TaintOperation(source.c_str(), true, TaintLocationFromContext(cx), { taintarg(cx, str) });
   op.setSource();
-  SafeStringTaint taint(0, str->length(), op);
 
   JSString* tainted_str = NewDependentString(cx, str, 0, str->length());
   if (!tainted_str)
     return false;
-  tainted_str->setTaint(cx, taint);
-
+  JS_MarkTaintSource(cx, tainted_str, op);
   MOZ_ASSERT(tainted_str->isTainted());
 
   args.rval().setString(tainted_str);

js/src/jsapi.cpp

@@ -4911,8 +4911,8 @@ JS_SetStringTaint(JSContext* cx, JSString* str, const StringTaint& taint)
 JS_PUBLIC_API void
 JS_MarkTaintSource(JSContext* cx, JSString* str, const TaintOperation& op)
 {
-  if (str->isTainted()) {
-    JS_SetStringTaint(cx, str, StringTaint(0, str->length(), op));
+  if (!str->isTainted()) {
+    JS_SetStringTaint(cx, str, SafeStringTaint(0, str->length(), op));
   } else {
     str->taint().overlay(0, str->length(), op);
   }