Bug 802926: Null check the callback passed to toBlob. r=sicking
authorKyle Huey <khuey@kylehuey.com>
Thu, 18 Oct 2012 23:59:38 -0700
changeset 110842 0ff60bfb3442c075795d3cc4a49e02bc88dd8506
parent 110841 3f2acb6146321f4c90b4fe3c5b0e36eb42141ca0
child 110843 2f83907a7087c431113bf6b5a67324cb3c692626
push id93
push usernmatsakis@mozilla.com
push dateWed, 31 Oct 2012 21:26:57 +0000
reviewerssicking
bugs802926
milestone19.0a1
Bug 802926: Null check the callback passed to toBlob. r=sicking
content/canvas/crashtests/802926-1.html
content/canvas/crashtests/crashtests.list
content/html/content/src/nsHTMLCanvasElement.cpp
new file mode 100644
--- /dev/null
+++ b/content/canvas/crashtests/802926-1.html
@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<script>
+
+document.createElement('canvas').toBlob(null);
+
+</script>
--- a/content/canvas/crashtests/crashtests.list
+++ b/content/canvas/crashtests/crashtests.list
@@ -10,8 +10,9 @@ load 729116.html
 load 745699-1.html
 load 746813-1.html
 # this test crashes in a bunch places still
 #load 745818-large-source.html
 load 743499-negative-size.html
 load 767337-1.html
 load 780392-1.html
 load 794463-1.html
+load 802926-1.html
--- a/content/html/content/src/nsHTMLCanvasElement.cpp
+++ b/content/html/content/src/nsHTMLCanvasElement.cpp
@@ -583,16 +583,20 @@ nsHTMLCanvasElement::ToBlob(nsIFileCallb
                             nsIVariant* aParams,
                             uint8_t optional_argc)
 {
   // do a trust check if this is a write-only canvas
   if (mWriteOnly && !nsContentUtils::IsCallerTrustedForRead()) {
     return NS_ERROR_DOM_SECURITY_ERR;
   }
 
+  if (!aCallback) {
+    return NS_ERROR_UNEXPECTED;
+  }
+
   nsAutoString type;
   nsresult rv = nsContentUtils::ASCIIToLower(aType, type);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   bool fallbackToPNG = false;