Bug 927558 - Missing null check in Selection::GetPrimaryFrameForFocusNode; r=ehsan
authorAryeh Gregor <ayg@aryeh.name>
Wed, 02 Apr 2014 19:01:01 +0300
changeset 195780 ef9ec6d75f13dc65b3679bb01c71798d7fe08a68
parent 195779 b07cc963d7a1fe6248211b22c25720417733555b
child 195781 1f9bd1c29a40beb87403699cde01c083366e1d28
push id3624
push userasasaki@mozilla.com
push dateMon, 09 Jun 2014 21:49:01 +0000
treeherdermozilla-beta@b1a5da15899a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersehsan
bugs927558
milestone31.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 927558 - Missing null check in Selection::GetPrimaryFrameForFocusNode; r=ehsan
layout/generic/crashtests/927558.html
layout/generic/crashtests/crashtests.list
layout/generic/nsSelection.cpp
new file mode 100644
--- /dev/null
+++ b/layout/generic/crashtests/927558.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<meta charset="UTF-8">
+<script>
+
+function boom()
+{
+  var range = document.createRange();
+  range.setStart(document.documentElement, 0);
+  var frame = document.getElementById("f");
+  var frameSel = frame.contentWindow.getSelection();
+  document.body.removeChild(frame);
+  frameSel.addRange(range);
+  frameSel.modify("move", "right", "character");
+}
+
+</script>
+</head>
+
+<body onload="boom();">
+<iframe id="f" src="data:text/html,<!doctype html>1"></iframe>
+
+
+</body></html>
--- a/layout/generic/crashtests/crashtests.list
+++ b/layout/generic/crashtests/crashtests.list
@@ -517,15 +517,16 @@ load 862947-1.html
 needs-focus pref(accessibility.browsewithcaret,true) load 868906.html
 load 866547-1.html
 asserts(1-4) load 876074-1.html # bug 876749
 load 885009-1.html
 load 893496-1.html
 load 893523.html
 test-pref(layout.css.sticky.enabled,true) load 914891.html
 test-pref(layout.css.sticky.enabled,true) load 915475.xhtml
+load 927558.html
 load 943509-1.html
 asserts(4-8) load 944909-1.html
 test-pref(layout.css.sticky.enabled,true) load 949932.html
 load 973701-1.xhtml
 load 973701-2.xhtml
 load 986899.html
 load outline-on-frameset.xhtml
--- a/layout/generic/nsSelection.cpp
+++ b/layout/generic/nsSelection.cpp
@@ -3870,26 +3870,28 @@ Selection::GetPrimaryFrameForFocusNode(n
 {
   if (!aReturnFrame)
     return NS_ERROR_NULL_POINTER;
   
   nsCOMPtr<nsIContent> content = do_QueryInterface(GetFocusNode());
   if (!content || !mFrameSelection)
     return NS_ERROR_FAILURE;
   
-  nsIPresShell *presShell = mFrameSelection->GetShell();
-
   int32_t frameOffset = 0;
   *aReturnFrame = 0;
   if (!aOffsetUsed)
     aOffsetUsed = &frameOffset;
     
   nsFrameSelection::HINT hint = mFrameSelection->GetHint();
 
   if (aVisual) {
+    nsIPresShell *presShell = mFrameSelection->GetShell();
+    if (!presShell)
+      return NS_ERROR_FAILURE;
+
     nsRefPtr<nsCaret> caret = presShell->GetCaret();
     if (!caret)
       return NS_ERROR_FAILURE;
     
     uint8_t caretBidiLevel = mFrameSelection->GetCaretBidiLevel();
 
     return caret->GetCaretFrameForNodeOffset(content, FocusOffset(),
       hint, caretBidiLevel, aReturnFrame, aOffsetUsed);