Bug 1156581 - Add null check to nsSVGEffects::InvalidateRenderingObservers to prevent crashes r=dholbert
authorRobert Longson <longsonr@gmail.com>
Wed, 30 Dec 2015 20:19:33 +0000
changeset 277930 eb4dc9b5a928f3391492a40076b3fcd23559cc41
parent 277929 0d55a6e4e98e6e420ca9810688f9921434a94eef
child 277931 7b567b63d13ccef2c20a7cd5820b1143acc5fde3
push id29838
push userkwierso@gmail.com
push dateThu, 31 Dec 2015 01:36:02 +0000
treeherdermozilla-central@22f51211915b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdholbert
bugs1156581
milestone46.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1156581 - Add null check to nsSVGEffects::InvalidateRenderingObservers to prevent crashes r=dholbert
layout/svg/crashtests/1156581-1.svg
layout/svg/crashtests/crashtests.list
layout/svg/nsSVGEffects.cpp
new file mode 100644
--- /dev/null
+++ b/layout/svg/crashtests/1156581-1.svg
@@ -0,0 +1,12 @@
+<svg xmlns="http://www.w3.org/2000/svg" style="filter: url(#a); clip: rect(0px, 4rem, 2px, 2px);">
+    <script>
+        function boom()
+        {
+            document.getElementById("a").style.overflow = "hidden";
+            document.documentElement.style.fontSize = "10px";
+        }
+        window.addEventListener("load", boom, false);
+    </script>
+
+    <set id="a"/>
+</svg>
--- a/layout/svg/crashtests/crashtests.list
+++ b/layout/svg/crashtests/crashtests.list
@@ -187,12 +187,13 @@ load 974746-1.svg
 load 975773-1.svg
 load 979407-1.svg
 load 979407-2.svg
 load 993443.svg
 load 1016145.svg
 load 1028512.svg
 load 1140080-1.svg
 load 1149542-1.svg
+load 1156581-1.svg
 load 1182496-1.html
 load 1209525-1.svg
 load 1223281-1.svg
 load extref-test-1.xhtml
--- a/layout/svg/nsSVGEffects.cpp
+++ b/layout/svg/nsSVGEffects.cpp
@@ -765,24 +765,25 @@ nsSVGEffects::RemoveAllRenderingObserver
   }
 }
 
 void
 nsSVGEffects::InvalidateRenderingObservers(nsIFrame *aFrame)
 {
   NS_ASSERTION(!aFrame->GetPrevContinuation(), "aFrame must be first continuation");
 
-  if (!aFrame->GetContent()->IsElement())
+  nsIContent* content = aFrame->GetContent();
+  if (!content || !content->IsElement())
     return;
 
   // If the rendering has changed, the bounds may well have changed too:
   aFrame->Properties().Delete(nsSVGUtils::ObjectBoundingBoxProperty());
 
   nsSVGRenderingObserverList *observerList =
-    GetObserverList(aFrame->GetContent()->AsElement());
+    GetObserverList(content->AsElement());
   if (observerList) {
     observerList->InvalidateAll();
     return;
   }
 
   // Check ancestor SVG containers. The root frame cannot be of type
   // eSVGContainer so we don't have to check f for null here.
   for (nsIFrame *f = aFrame->GetParent();
@@ -816,12 +817,13 @@ nsSVGEffects::InvalidateDirectRenderingO
       }
     }
   }
 }
 
 void
 nsSVGEffects::InvalidateDirectRenderingObservers(nsIFrame *aFrame, uint32_t aFlags /* = 0 */)
 {
-  if (aFrame->GetContent() && aFrame->GetContent()->IsElement()) {
-    InvalidateDirectRenderingObservers(aFrame->GetContent()->AsElement(), aFlags);
+  nsIContent* content = aFrame->GetContent();
+  if (content && content->IsElement()) {
+    InvalidateDirectRenderingObservers(content->AsElement(), aFlags);
   }
 }