Bug 1509989 - Make sure the start container is safe to access in nsRange::InsertNode. r=mats
authorEmilio Cobos Álvarez <emilio@crisal.io>
Tue, 27 Nov 2018 16:56:26 +0000
changeset 448357 d73fbe0676946487d3f7e2e3d61b7938dc50733d
parent 448356 76cda4d85a5a55f75afdd932b782ab02d01b6d5d
child 448358 49adeee1a1946e4aa452ff29f2bca4445aebe200
push id73815
push userealvarez@mozilla.com
push dateTue, 27 Nov 2018 18:03:28 +0000
treeherderautoland@49adeee1a194 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmats
bugs1509989
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1509989 - Make sure the start container is safe to access in nsRange::InsertNode. r=mats Depends on D13070 Differential Revision: https://phabricator.services.mozilla.com/D13071
dom/base/nsRange.cpp
layout/style/crashtests/1509989.html
layout/style/crashtests/crashtests.list
--- a/dom/base/nsRange.cpp
+++ b/dom/base/nsRange.cpp
@@ -2619,16 +2619,21 @@ nsRange::InsertNode(nsINode& aNode, Erro
 
   uint32_t tStartOffset = StartOffset();
 
   nsCOMPtr<nsINode> tStartContainer = GetStartContainer(aRv);
   if (aRv.Failed()) {
     return;
   }
 
+  if (!CanAccess(*tStartContainer)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   if (&aNode == tStartContainer) {
     aRv.Throw(NS_ERROR_DOM_HIERARCHY_REQUEST_ERR);
     return;
   }
 
   // This is the node we'll be inserting before, and its parent
   nsCOMPtr<nsINode> referenceNode;
   nsCOMPtr<nsINode> referenceParentNode = tStartContainer;
new file mode 100644
--- /dev/null
+++ b/layout/style/crashtests/1509989.html
@@ -0,0 +1,11 @@
+<script>
+function go() {
+  window.getSelection().getRangeAt(0).insertNode(a);
+}
+</script>
+<body onload=go()>
+<dl>
+<dd id="a">
+<video>
+</dd>
+<input type="number" autofocus="">
--- a/layout/style/crashtests/crashtests.list
+++ b/layout/style/crashtests/crashtests.list
@@ -290,8 +290,9 @@ load 1457288.html
 load 1457985.html
 load 1468640.html
 load 1469076.html
 load 1475003.html
 load 1479681.html
 load 1488817.html
 load 1490012.html
 load 1502893.html
+load 1509989.html