Bug 798802 - Fix layer uninitialised in nsHTMLCanvasElement::InvalidateCanvasContent(). r=mattwoodrow
authorAnthony Jones <ajones@mozilla.com>
Thu, 11 Oct 2012 21:31:39 -0400
changeset 110144 e05e9c4666e14b1e59352ec98430692093601b6c
parent 110143 887b293a2fd396dd012d292f36797727c7049553
child 110145 dab0a2f7a5cadf6035ae9729cd67464351ce71c3
push id93
push usernmatsakis@mozilla.com
push dateWed, 31 Oct 2012 21:26:57 +0000
reviewersmattwoodrow
bugs798802
milestone19.0a1
Bug 798802 - Fix layer uninitialised in nsHTMLCanvasElement::InvalidateCanvasContent(). r=mattwoodrow
content/html/content/crashtests/798802-1.html
content/html/content/crashtests/crashtests.list
content/html/content/src/nsHTMLCanvasElement.cpp
new file mode 100644
--- /dev/null
+++ b/content/html/content/crashtests/798802-1.html
@@ -0,0 +1,18 @@
+<html>
+  <head>
+    <script>
+      onload = function() {
+        var canvas2d = document.createElement('canvas')
+        canvas2d.setAttribute('width', 0)
+        document.body.appendChild(canvas2d)
+        var ctx2d = canvas2d.getContext('2d')
+        ctx2d.fillStyle = 'black'
+        var gl = document.createElement('canvas').getContext('experimental-webgl')
+        gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA, gl.RGBA, gl.UNSIGNED_BYTE, canvas2d)
+        ctx2d.fillRect(0, 0, 1, 1)
+      }
+    </script>
+  </head>
+  <body>
+  </body>
+</html>
--- a/content/html/content/crashtests/crashtests.list
+++ b/content/html/content/crashtests/crashtests.list
@@ -36,8 +36,9 @@ load 682460.html
 load 673853.html
 load 738744.xhtml
 load 741250.xhtml
 load 795221-1.html
 load 795221-2.html
 load 795221-3.html
 load 795221-4.html
 load 795221-5.xml
+load 798802-1.html
--- a/content/html/content/src/nsHTMLCanvasElement.cpp
+++ b/content/html/content/src/nsHTMLCanvasElement.cpp
@@ -831,17 +831,17 @@ nsHTMLCanvasElement::InvalidateCanvasCon
   // We don't need to flush anything here; if there's no frame or if
   // we plan to reframe we don't need to invalidate it anyway.
   nsIFrame *frame = GetPrimaryFrame();
   if (!frame)
     return;
 
   frame->MarkLayersActive(nsChangeHint(0));
 
-  Layer* layer;
+  Layer* layer = nullptr;
   if (damageRect) {
     nsIntSize size = GetWidthHeight();
     if (size.width != 0 && size.height != 0) {
 
       gfxRect realRect(*damageRect);
       realRect.RoundOut();
 
       // then make it a nsRect