Bug 949990 - XPath: "Assertion failure: isNode() || isIterator() || isSnapshot()", throw NOT_SUPPORTED_ERR if an invalid value is passed in. r=bz.
authorPeter Van der Beken <peterv@propagandism.org>
Tue, 07 Nov 2017 14:17:38 +0100
changeset 444297 e603b29a540b1dd4422496dcd60068a5dadac2e5
parent 444296 006b8806bac9f6898be42022d2788c31679be494
child 444298 3913d21df1283db6b214e8050c97e2bcd2050c86
push id1618
push userCallek@gmail.com
push dateThu, 11 Jan 2018 17:45:48 +0000
treeherdermozilla-release@882ca853e05a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz
bugs949990
milestone58.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 949990 - XPath: "Assertion failure: isNode() || isIterator() || isSnapshot()", throw NOT_SUPPORTED_ERR if an invalid value is passed in. r=bz.
dom/xslt/crashtests/949990.html
dom/xslt/crashtests/crashtests.list
dom/xslt/xpath/XPathExpression.cpp
new file mode 100644
--- /dev/null
+++ b/dom/xslt/crashtests/949990.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<script>
+
+function boom() {
+    document.evaluate("a", document.documentElement, null, 4096, null);
+}
+
+</script>
+</head>
+
+<body onload="boom()"></body>
+</html>
--- a/dom/xslt/crashtests/crashtests.list
+++ b/dom/xslt/crashtests/crashtests.list
@@ -10,14 +10,15 @@ load 527558_1.xml
 load 528300.xml
 load 528488.xml
 load 528963.xml
 load 545927.html
 load 601543.html
 load 602115.html
 load 603844.html
 load 667315.xml
+load 949990.html
 load 1089049.html
 load 1205163.xml
 load 1243337.xml
 load 1330492.html
 load 1338277.html
 load 1361892.html
--- a/dom/xslt/xpath/XPathExpression.cpp
+++ b/dom/xslt/xpath/XPathExpression.cpp
@@ -96,16 +96,21 @@ XPathExpression::EvaluateWithContext(nsI
                                      XPathResult* aInResult,
                                      ErrorResult& aRv)
 {
     if (aContextPosition > aContextSize) {
         aRv.Throw(NS_ERROR_FAILURE);
         return nullptr;
     }
 
+    if (aType > XPathResultBinding::FIRST_ORDERED_NODE_TYPE) {
+        aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
+        return nullptr;
+    }
+
     if (!nsContentUtils::LegacyIsCallerNativeCode() &&
         !nsContentUtils::CanCallerAccess(&aContextNode))
     {
         aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
         return nullptr;
     }
 
     if (mCheckDocument) {