Bug 776323 part 1 - Fix crash due to silly logic error in nsSelectionState::SaveSelection; r=ehsan a=akeybl
authorAryeh Gregor <ayg@aryeh.name>
Mon, 23 Jul 2012 13:27:22 +0300
changeset 100381 80000a1e4ea0cfa2b31ffdf84e8f961e8dfe26df
parent 100380 6795c18e6b6cffeef604587ef31e4f1596c36b95
child 100382 268e31db5949cdfb8a709ca50d8d7c14162e6bdf
push id1189
push usereakhgari@mozilla.com
push dateMon, 30 Jul 2012 17:50:36 +0000
treeherdermozilla-beta@80000a1e4ea0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersehsan, akeybl
bugs776323
milestone15.0
Bug 776323 part 1 - Fix crash due to silly logic error in nsSelectionState::SaveSelection; r=ehsan a=akeybl
editor/libeditor/base/crashtests/776323.html
editor/libeditor/base/crashtests/crashtests.list
editor/libeditor/base/nsSelectionState.cpp
new file mode 100644
--- /dev/null
+++ b/editor/libeditor/base/crashtests/776323.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html contenteditable="true">
+<head>
+<script>
+
+function boom()
+{
+  document.execCommand("inserthtml", false, "b");
+  var myrange = document.createRange();
+  myrange.selectNodeContents(document.getElementsByTagName("img")[0]);
+  window.getSelection().addRange(myrange);
+  document.execCommand("strikethrough", false, null);
+}
+
+</script>
+</head>
+<body onload="boom();"><img></body>
+</html>
--- a/editor/libeditor/base/crashtests/crashtests.list
+++ b/editor/libeditor/base/crashtests/crashtests.list
@@ -5,8 +5,9 @@ load 407079-1.html
 load 407256-1.html
 load 430624-1.html
 load 459613.html
 load 475132-1.xhtml
 load 633709.xhtml
 load 636074-1.html
 load 713427-1.html
 load 713427-2.xhtml
+load 776323.html
--- a/editor/libeditor/base/nsSelectionState.cpp
+++ b/editor/libeditor/base/nsSelectionState.cpp
@@ -44,19 +44,17 @@ nsSelectionState::SaveSelection(nsISelec
 {
   NS_ENSURE_TRUE(aSel, NS_ERROR_NULL_POINTER);
   PRInt32 i,rangeCount, arrayCount = mArray.Length();
   aSel->GetRangeCount(&rangeCount);
   
   // if we need more items in the array, new them
   if (arrayCount<rangeCount)
   {
-    PRInt32 count = rangeCount-arrayCount;
-    for (i=0; i<count; i++)
-    {
+    for (i = arrayCount; i < rangeCount; i++) {
       mArray.AppendElement();
       mArray[i] = new nsRangeStore();
     }
   }
   
   // else if we have too many, delete them
   else if (arrayCount>rangeCount)
   {