Bug 1076587 - Avoid null deref in HTMLImageElement::AfterSetAttr with <picture> enabled r=bz
authorJohn Schoenick <jschoenick@mozilla.com>
Tue, 01 Jul 2014 13:36:06 -0700
changeset 212304 6345f1767ed7c7a28d204bebccffdef133ba4072
parent 212303 03b6a747eac115e2df717486586e502e364a8edf
child 212305 987133583ef31ad063b90256ccea948cb78326d0
push id27704
push userkwierso@gmail.com
push dateSat, 25 Oct 2014 01:25:30 +0000
treeherdermozilla-central@e37231060eb4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz
bugs1076587
milestone36.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1076587 - Avoid null deref in HTMLImageElement::AfterSetAttr with <picture> enabled r=bz
content/html/content/src/HTMLImageElement.cpp
--- a/content/html/content/src/HTMLImageElement.cpp
+++ b/content/html/content/src/HTMLImageElement.cpp
@@ -20,16 +20,17 @@
 #include "nsContentUtils.h"
 #include "nsContainerFrame.h"
 #include "nsNodeInfoManager.h"
 #include "mozilla/MouseEvents.h"
 #include "nsContentPolicyUtils.h"
 #include "nsIDOMWindow.h"
 #include "nsFocusManager.h"
 #include "mozilla/dom/HTMLFormElement.h"
+#include "nsAttrValueOrString.h"
 
 // Responsive images!
 #include "mozilla/dom/HTMLSourceElement.h"
 #include "mozilla/dom/ResponsiveImageSelector.h"
 
 #include "imgIContainer.h"
 #include "imgILoader.h"
 #include "imgINotificationObserver.h"
@@ -362,41 +363,40 @@ HTMLImageElement::AfterSetAttr(int32_t a
       nsDependentAtomString(aValue->GetAtomValue()));
   }
 
   // Handle src/srcset/crossorigin updates. If aNotify is false, we are coming
   // from the parser or some such place; we'll get bound after all the
   // attributes have been set, so we'll do the image load from BindToTree.
 
   nsCOMPtr<nsIContent> thisContent = AsContent();
+  nsAttrValueOrString attrVal(aValue);
+
   if (aName == nsGkAtoms::src &&
       aNameSpaceID == kNameSpaceID_None) {
     // SetAttr handles setting src in the non-responsive case, so only handle it
     // for responsive mode or unsetting
     if (!aValue) {
       CancelImageRequests(aNotify);
     } else if (mResponsiveSelector) {
-      mResponsiveSelector->SetDefaultSource(aValue ? aValue->GetStringValue()
-                                                   : EmptyString());
+      mResponsiveSelector->SetDefaultSource(attrVal.String());
       LoadSelectedImage(false, aNotify);
     }
   } else if (aName == nsGkAtoms::srcset &&
              aNameSpaceID == kNameSpaceID_None &&
              aNotify &&
              AsContent()->IsInDoc() &&
              IsSrcsetEnabled()) {
     // We currently don't handle responsive mode until BindToTree
-    PictureSourceSrcsetChanged(thisContent,
-                               aValue ? aValue->GetStringValue() : EmptyString(),
-                               aNotify);
+    PictureSourceSrcsetChanged(thisContent, attrVal.String(), aNotify);
   } else if (aName == nsGkAtoms::sizes &&
              aNameSpaceID == kNameSpaceID_None &&
              thisContent->IsInDoc() &&
              HTMLPictureElement::IsPictureEnabled()) {
-    PictureSourceSizesChanged(thisContent, aValue->GetStringValue(), aNotify);
+    PictureSourceSizesChanged(thisContent, attrVal.String(), aNotify);
   } else if (aName == nsGkAtoms::crossorigin &&
              aNameSpaceID == kNameSpaceID_None &&
              aNotify) {
     // We want aForce == true in this LoadImage call, because we want to force
     // a new load of the image with the new cross origin policy.
     nsCOMPtr<nsIURI> currentURI;
     if (NS_SUCCEEDED(GetCurrentURI(getter_AddRefs(currentURI))) && currentURI) {
       LoadImage(currentURI, true, aNotify);