Bug 1423776 - Return error when splitted node might be orphan. r=masayuki
authorMakoto Kato <m_kato@ga2.so-net.ne.jp>
Mon, 04 Jun 2018 16:31:38 +0900
changeset 804152 988847e0ed2ec4f3c87fa3cf92c08eb2a1acd18c
parent 804151 a47957da1983ecb6d7b3ec323c84ec71421251b6
child 804153 b523c89c3497596fab20cda825115daa5b0b7ac4
push id112312
push userbmo:standard8@mozilla.com
push dateTue, 05 Jun 2018 16:07:56 +0000
reviewersmasayuki
bugs1423776
milestone62.0a1
Bug 1423776 - Return error when splitted node might be orphan. r=masayuki This crash occurs when start container of range for range updater is nullptr in GetNodesForOperation. Splitted node by SplitNodeDeepWithTransaction can return orphan node, so we should return error when splitted node is orphan node. MozReview-Commit-ID: 3ySdzc9FAzL
editor/libeditor/HTMLEditRules.cpp
editor/libeditor/crashtests/1423776.html
editor/libeditor/crashtests/crashtests.list
--- a/editor/libeditor/HTMLEditRules.cpp
+++ b/editor/libeditor/HTMLEditRules.cpp
@@ -7818,16 +7818,19 @@ HTMLEditRules::BustUpInlinesAtRangeEndpo
                         SplitAtEdges::eDoNotCreateEmptyContainer);
     if (NS_WARN_IF(!CanHandleEditAction())) {
       return NS_ERROR_EDITOR_DESTROYED;
     }
     if (NS_WARN_IF(splitEndInlineResult.Failed())) {
       return splitEndInlineResult.Rv();
     }
     EditorRawDOMPoint splitPointAtEnd(splitEndInlineResult.SplitPoint());
+    if (NS_WARN_IF(!splitPointAtEnd.IsSet())) {
+      return NS_ERROR_FAILURE;
+    }
     aRangeItem.mEndContainer = splitPointAtEnd.GetContainer();
     aRangeItem.mEndOffset = splitPointAtEnd.Offset();
   }
 
   nsCOMPtr<nsIContent> startInline =
     GetHighestInlineParent(*aRangeItem.mStartContainer);
 
   if (startInline) {
@@ -7842,16 +7845,19 @@ HTMLEditRules::BustUpInlinesAtRangeEndpo
     }
     if (NS_WARN_IF(splitStartInlineResult.Failed())) {
       return splitStartInlineResult.Rv();
     }
     // XXX If we split only here because of collapsed range, we're modifying
     //     only start point of aRangeItem.  Shouldn't we modify end point here
     //     if it's collapsed?
     EditorRawDOMPoint splitPointAtStart(splitStartInlineResult.SplitPoint());
+    if (NS_WARN_IF(!splitPointAtStart.IsSet())) {
+      return NS_ERROR_FAILURE;
+    }
     aRangeItem.mStartContainer = splitPointAtStart.GetContainer();
     aRangeItem.mStartOffset = splitPointAtStart.Offset();
   }
 
   return NS_OK;
 }
 
 nsresult
new file mode 100644
--- /dev/null
+++ b/editor/libeditor/crashtests/1423776.html
@@ -0,0 +1,15 @@
+<script>
+function go() {
+  svgvar00002.addEventListener("DOMNodeInserted", () => {
+    svg.appendChild(svgvar00008);
+    document.execCommand("insertOrderedList", false);
+  });
+  svgvar00002.insertAdjacentHTML("afterBegin", table.outerHTML);
+}
+</script>
+<body onload=go()>
+<table id="table"></table>
+<b contenteditable="true">
+<svg id="svg">
+<feConvolveMatrix id="svgvar00002"/>
+<feConvolveMatrix id="svgvar00008"/>
--- a/editor/libeditor/crashtests/crashtests.list
+++ b/editor/libeditor/crashtests/crashtests.list
@@ -92,13 +92,14 @@ needs-focus load 1402196.html
 load 1402469.html
 load 1402526.html
 load 1402904.html
 load 1405747.html
 load 1408170.html
 load 1414581.html
 load 1415231.html
 load 1423767.html
+needs-focus load 1423776.html
 needs-focus load 1424450.html
 load 1425091.html
 load 1443664.html
 skip-if(Android) needs-focus load 1444630.html
 load 1446451.html