Bug 1057677 - Crash in nsHTMLEditor::DoInsertHTMLWithContext. r=ehsan, a=sledru
authorAryeh Gregor <ayg@aryeh.name>
Tue, 26 Aug 2014 16:13:22 +0300
changeset 217693 d9f049319699de2e8fd50f7603520490f95e4c22
parent 217692 940e5cddd6d0e0b118aa7f36a913369372c1df70
child 217694 46c3498c3bcd3386a9011bb554f69cd3726df266
push id515
push userraliiev@mozilla.com
push dateMon, 06 Oct 2014 12:51:51 +0000
treeherdermozilla-release@267c7a481bef [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersehsan, sledru
bugs1057677
milestone33.0a2
Bug 1057677 - Crash in nsHTMLEditor::DoInsertHTMLWithContext. r=ehsan, a=sledru
editor/libeditor/html/crashtests/1057677.html
editor/libeditor/html/crashtests/crashtests.list
editor/libeditor/html/nsHTMLDataTransfer.cpp
new file mode 100644
--- /dev/null
+++ b/editor/libeditor/html/crashtests/1057677.html
@@ -0,0 +1,9 @@
+<html><body></body><script>
+document.designMode = "on";
+var hrElem = document.createElement("HR");
+var select = window.getSelection();
+document.body.appendChild(hrElem);
+select.collapse(hrElem,0);
+document.execCommand("InsertHTML", false, "<div>foo</div><div>bar</div>");
+</script>
+</html>
--- a/editor/libeditor/html/crashtests/crashtests.list
+++ b/editor/libeditor/html/crashtests/crashtests.list
@@ -31,8 +31,9 @@ load 761861.html
 load 769008-1.html
 load 766305.html
 load 766387.html
 load 766795.html
 load 767169.html
 load 769967.xhtml
 load 768748.html
 needs-focus load 793866.html
+load 1057677.html
--- a/editor/libeditor/html/nsHTMLDataTransfer.cpp
+++ b/editor/libeditor/html/nsHTMLDataTransfer.cpp
@@ -406,19 +406,19 @@ nsHTMLEditor::DoInsertHTMLWithContext(co
 
     // Adjust position based on the first node we are going to insert.
     NormalizeEOLInsertPosition(nodeList[0], address_of(parentNode), &offsetOfNewNode);
 
     // if there are any invisible br's after our insertion point, remove them.
     // this is because if there is a br at end of what we paste, it will make
     // the invisible br visible.
     nsWSRunObject wsObj(this, parentNode, offsetOfNewNode);
-    if (nsTextEditUtils::IsBreak(wsObj.mEndReasonNode) && 
-        !IsVisBreak(wsObj.mEndReasonNode) )
-    {
+    if (wsObj.mEndReasonNode &&
+        nsTextEditUtils::IsBreak(wsObj.mEndReasonNode) &&
+        !IsVisBreak(wsObj.mEndReasonNode)) {
       rv = DeleteNode(wsObj.mEndReasonNode);
       NS_ENSURE_SUCCESS(rv, rv);
     }
 
     // Remember if we are in a link.
     bool bStartedInLink = IsInLink(parentNode);
 
     // Are we in a text node? If so, split it.