Bug 1471157. Fix null-deref crash when a drop event has no DataTransfer. r=nika a=lizzard
authorBoris Zbarsky <bzbarsky@mit.edu>
Wed, 27 Jun 2018 12:04:26 -0400
changeset 480247 7ccdd10cf1b0baeeb77b18894641f140403ccb10
parent 480246 0b8330a22470d371d43bc49cc22967e91dc8e294
child 480248 e09909cb2297c14e75e9a94425af8e5b8e605094
push id1757
push userffxbld-merge
push dateFri, 24 Aug 2018 17:02:43 +0000
treeherdermozilla-release@736023aebdb1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnika, lizzard
bugs1471157
milestone62.0
Bug 1471157. Fix null-deref crash when a drop event has no DataTransfer. r=nika a=lizzard https://hg.mozilla.org/mozilla-central/rev/41d99ad7144f removed a null-check that shouldn't have been removed: the datatransfer argument might actually be null here.
layout/forms/crashtests/1471157.html
layout/forms/crashtests/crashtests.list
layout/forms/nsFileControlFrame.cpp
new file mode 100644
--- /dev/null
+++ b/layout/forms/crashtests/1471157.html
@@ -0,0 +1,11 @@
+<!doctype html>
+<input type="file">
+<script>
+  onload = function() {
+    var input = document.querySelector("input");
+    console.log(input.offsetWidth);  // Force layout flush and hence layout box
+                                     // creation.
+    input.dispatchEvent(new DragEvent("drop"));
+  }
+</script>
+
--- a/layout/forms/crashtests/crashtests.list
+++ b/layout/forms/crashtests/crashtests.list
@@ -69,8 +69,9 @@ load 1228670.xhtml
 load 1279354.html
 load 1388230-1.html
 load 1388230-2.html
 load 1405830.html
 load 1418477.html
 load 1432853.html
 asserts(2-4) load 1460787-1.html
 load 1464165-1.html
+load 1471157.html
--- a/layout/forms/nsFileControlFrame.cpp
+++ b/layout/forms/nsFileControlFrame.cpp
@@ -375,16 +375,20 @@ nsFileControlFrame::DnDListener::GetBlob
   }
 
   return NS_ERROR_FAILURE;
 }
 
 bool
 nsFileControlFrame::DnDListener::IsValidDropData(DataTransfer* aDataTransfer)
 {
+  if (!aDataTransfer) {
+    return false;
+  }
+
   // We only support dropping files onto a file upload control
   nsTArray<nsString> types;
   aDataTransfer->GetTypes(types, CallerType::System);
 
   return types.Contains(NS_LITERAL_STRING("Files"));
 }
 
 bool