Bug 1587433: part 4) In `Selection::SetBaseAndExtent` check offsets are valid before constructing range boundaries. r=smaug
☠☠ backed out by c0c22dbdd5b8 ☠ ☠
authorMirko Brodesser <mbrodesser@mozilla.com>
Wed, 11 Dec 2019 12:24:40 +0000
changeset 507069 4032df295a67aca4366d33ebb0ba9a57305d1bcc
parent 507068 0e1577031addefed6aeaa5df8a724b73edb690a0
child 507070 7ebbcb2da48889068c9606106861ebcd95217de5
push id36922
push userncsoregi@mozilla.com
push dateMon, 16 Dec 2019 17:21:47 +0000
treeherdermozilla-central@27d0d6cc2131 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug
bugs1587433
milestone73.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1587433: part 4) In `Selection::SetBaseAndExtent` check offsets are valid before constructing range boundaries. r=smaug Avoid warnings. Differential Revision: https://phabricator.services.mozilla.com/D54277
dom/base/Selection.cpp
dom/base/Selection.h
--- a/dom/base/Selection.cpp
+++ b/dom/base/Selection.cpp
@@ -3288,16 +3288,29 @@ void Selection::Modify(const nsAString& 
 void Selection::SetBaseAndExtentJS(nsINode& aAnchorNode, uint32_t aAnchorOffset,
                                    nsINode& aFocusNode, uint32_t aFocusOffset,
                                    ErrorResult& aRv) {
   AutoRestore<bool> calledFromJSRestorer(mCalledByJS);
   mCalledByJS = true;
   SetBaseAndExtent(aAnchorNode, aAnchorOffset, aFocusNode, aFocusOffset, aRv);
 }
 
+void Selection::SetBaseAndExtent(nsINode& aAnchorNode, uint32_t aAnchorOffset,
+                                 nsINode& aFocusNode, uint32_t aFocusOffset,
+                                 ErrorResult& aRv) {
+  if ((aAnchorOffset > aAnchorNode.Length()) ||
+      (aFocusOffset > aFocusNode.Length())) {
+    aRv.Throw(NS_ERROR_DOM_INDEX_SIZE_ERR);
+    return;
+  }
+
+  SetBaseAndExtent(RawRangeBoundary{&aAnchorNode, aAnchorOffset},
+                   RawRangeBoundary{&aFocusNode, aFocusOffset}, aRv);
+}
+
 void Selection::SetBaseAndExtentInternal(InLimiter aInLimiter,
                                          const RawRangeBoundary& aAnchorRef,
                                          const RawRangeBoundary& aFocusRef,
                                          ErrorResult& aRv) {
   if (!mFrameSelection) {
     return;
   }
 
--- a/dom/base/Selection.h
+++ b/dom/base/Selection.h
@@ -499,20 +499,17 @@ class Selection final : public nsSupport
    * specified, then if anchor point is after focus node, this sets the
    * direction to eDirPrevious.
    * Note that this may reset the limiter and move focus.  If you don't want
    * that, use SetBaseAndExtentInLimier() instead.
    */
   MOZ_CAN_RUN_SCRIPT
   void SetBaseAndExtent(nsINode& aAnchorNode, uint32_t aAnchorOffset,
                         nsINode& aFocusNode, uint32_t aFocusOffset,
-                        ErrorResult& aRv) {
-    SetBaseAndExtent(RawRangeBoundary(&aAnchorNode, aAnchorOffset),
-                     RawRangeBoundary(&aFocusNode, aFocusOffset), aRv);
-  }
+                        ErrorResult& aRv);
   MOZ_CAN_RUN_SCRIPT
   void SetBaseAndExtent(const RawRangeBoundary& aAnchorRef,
                         const RawRangeBoundary& aFocusRef, ErrorResult& aRv) {
     SetBaseAndExtentInternal(InLimiter::eNo, aAnchorRef, aFocusRef, aRv);
   }
 
   /**
    * SetBaseAndExtentInLimier() is similar to SetBaseAndExtent(), but this