Bug 1134545 - Insufficient null check. r=ehsan, a=sledru
authorAryeh Gregor <ayg@aryeh.name>
Wed, 25 Mar 2015 13:52:56 -0400
changeset 258430 5f042fe29707
parent 258429 10c3198eb453
child 258431 999636e73165
push id4668
push userryanvm@gmail.com
push date2015-04-13 16:23 +0000
treeherdermozilla-beta@002faed66e96 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersehsan, sledru
bugs1134545
milestone38.0
Bug 1134545 - Insufficient null check. r=ehsan, a=sledru
editor/libeditor/crashtests/1134545.html
editor/libeditor/crashtests/crashtests.list
editor/libeditor/nsHTMLEditorStyle.cpp
new file mode 100644
--- /dev/null
+++ b/editor/libeditor/crashtests/1134545.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<!-- saved from url=(0065)https://bug1134545.bugzilla.mozilla.org/attachment.cgi?id=8566418 -->
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+<script>
+
+function boom()
+{
+    textNode = document.createTextNode(" ");
+    x.appendChild(textNode);
+    x.setAttribute('contenteditable', "true");
+    textNode.remove();
+    window.getSelection().selectAllChildren(textNode);
+    document.execCommand("increasefontsize", false, null);
+}
+
+</script>
+</head>
+<body onload="boom();">
+<div id="x" contenteditable="true"></div>
+
+
+</body></html>
\ No newline at end of file
--- a/editor/libeditor/crashtests/crashtests.list
+++ b/editor/libeditor/crashtests/crashtests.list
@@ -54,8 +54,9 @@ load 767169.html
 load 769967.xhtml
 load 768748.html
 load 768765.html
 needs-focus load 771749.html
 load 772282.html
 load 776323.html
 needs-focus load 793866.html
 load 1057677.html
+load 1134545.html
--- a/editor/libeditor/nsHTMLEditorStyle.cpp
+++ b/editor/libeditor/nsHTMLEditorStyle.cpp
@@ -1517,20 +1517,20 @@ nsHTMLEditor::RelativeFontChange( int32_
     } else {
       atom = nsGkAtoms::small;
     }
 
     // Let's see in what kind of element the selection is
     int32_t offset;
     nsCOMPtr<nsINode> selectedNode;
     GetStartNodeAndOffset(selection, getter_AddRefs(selectedNode), &offset);
-    NS_ENSURE_TRUE(selectedNode, NS_OK);
-    if (IsTextNode(selectedNode)) {
+    if (selectedNode && IsTextNode(selectedNode)) {
       selectedNode = selectedNode->GetParentNode();
     }
+    NS_ENSURE_TRUE(selectedNode, NS_OK);
     if (!CanContainTag(*selectedNode, *atom)) {
       return NS_OK;
     }
 
     // manipulating text attributes on a collapsed selection only sets state for the next text insertion
     mTypeInState->SetProp(atom, EmptyString(), EmptyString());
     return NS_OK;
   }