Bug 716527 - Prevent nsSVGForeignObjectFrame::PaintSVG from dereference null aDirtyRect. r=roc
authorJonathan Watt <jwatt@jwatt.org>
Sat, 28 Jan 2012 10:42:59 +0000
changeset 86882 b945ae00f5f582c3023fbe72f8ad253c5bc940b0
parent 86881 cb21301bbdd3408124b9235196fcc187087fcd61
child 86883 b939fbd0a46f9e6db2651c850641a3874996cf3c
push id805
push userakeybl@mozilla.com
push dateWed, 01 Feb 2012 18:17:35 +0000
treeherdermozilla-aurora@6fb3bf232436 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersroc
bugs716527
milestone12.0a1
Bug 716527 - Prevent nsSVGForeignObjectFrame::PaintSVG from dereference null aDirtyRect. r=roc
layout/svg/base/src/nsSVGForeignObjectFrame.cpp
--- a/layout/svg/base/src/nsSVGForeignObjectFrame.cpp
+++ b/layout/svg/base/src/nsSVGForeignObjectFrame.cpp
@@ -252,28 +252,30 @@ nsSVGForeignObjectFrame::PaintSVG(nsSVGR
   gfx->Multiply(matrixForChildren);
 
   // Transform the dirty rect into the rectangle containing the
   // transformed dirty rect.
   gfxMatrix invmatrix = matrix.Invert();
   NS_ASSERTION(!invmatrix.IsSingular(),
                "inverse of non-singular matrix should be non-singular");
 
-  gfxRect transDirtyRect = gfxRect(aDirtyRect->x, aDirtyRect->y,
-                                   aDirtyRect->width, aDirtyRect->height);
-  transDirtyRect = invmatrix.TransformBounds(transDirtyRect);
+  nsRect kidDirtyRect = kid->GetVisualOverflowRect();
+  if (aDirtyRect) {
+    gfxRect transDirtyRect = gfxRect(aDirtyRect->x, aDirtyRect->y,
+                                     aDirtyRect->width, aDirtyRect->height);
+    transDirtyRect = invmatrix.TransformBounds(transDirtyRect);
 
-  transDirtyRect.Scale(nsPresContext::AppUnitsPerCSSPixel());
-  nsPoint tl(NSToCoordFloor(transDirtyRect.X()),
-             NSToCoordFloor(transDirtyRect.Y()));
-  nsPoint br(NSToCoordCeil(transDirtyRect.XMost()),
-             NSToCoordCeil(transDirtyRect.YMost()));
-  nsRect kidDirtyRect(tl.x, tl.y, br.x - tl.x, br.y - tl.y);
-
-  kidDirtyRect.IntersectRect(kidDirtyRect, kid->GetRect());
+    transDirtyRect.Scale(nsPresContext::AppUnitsPerCSSPixel());
+    nsPoint tl(NSToCoordFloor(transDirtyRect.X()),
+               NSToCoordFloor(transDirtyRect.Y()));
+    nsPoint br(NSToCoordCeil(transDirtyRect.XMost()),
+               NSToCoordCeil(transDirtyRect.YMost()));
+    kidDirtyRect.IntersectRect(kidDirtyRect,
+                               nsRect(tl.x, tl.y, br.x - tl.x, br.y - tl.y));
+  }
 
   PRUint32 flags = nsLayoutUtils::PAINT_IN_TRANSFORM;
   if (aContext->IsPaintingToWindow()) {
     flags |= nsLayoutUtils::PAINT_TO_WINDOW;
   }
   nsresult rv = nsLayoutUtils::PaintFrame(ctx, kid, nsRegion(kidDirtyRect),
                                           NS_RGBA(0,0,0,0), flags);