summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNew Tobin Paradigm <email@mattatobin.com>2018-04-13 15:43:09 -0400
committerGitHub <noreply@github.com>2018-04-13 15:43:09 -0400
commit501db456d4d84a9345374e9b15775f6e10883a41 (patch)
tree279b8777ec467e25e157eed36d1ff30514ec9c17
parent356c948bbde4271d17692abac0422e0eb5e609ed (diff)
parent84e449502f51e192d337eb793946d5b03f4c6460 (diff)
downloadUXP-501db456d4d84a9345374e9b15775f6e10883a41.tar
UXP-501db456d4d84a9345374e9b15775f6e10883a41.tar.gz
UXP-501db456d4d84a9345374e9b15775f6e10883a41.tar.lz
UXP-501db456d4d84a9345374e9b15775f6e10883a41.tar.xz
UXP-501db456d4d84a9345374e9b15775f6e10883a41.zip
Merge pull request #151 from janekptacijarabaci/js_dom_selection_crash_1
moebius#76: JS - DOM - Selection API - crashes
-rw-r--r--dom/base/nsRange.cpp2
-rw-r--r--dom/html/crashtests/1350972.html22
-rw-r--r--dom/html/crashtests/crashtests.list1
3 files changed, 24 insertions, 1 deletions
diff --git a/dom/base/nsRange.cpp b/dom/base/nsRange.cpp
index 37ba147af..4b4ce7885 100644
--- a/dom/base/nsRange.cpp
+++ b/dom/base/nsRange.cpp
@@ -3194,7 +3194,7 @@ nsRange::AutoInvalidateSelection::~AutoInvalidateSelection()
mIsNested = false;
::InvalidateAllFrames(mCommonAncestor);
nsINode* commonAncestor = mRange->GetRegisteredCommonAncestor();
- if (commonAncestor != mCommonAncestor) {
+ if (commonAncestor && commonAncestor != mCommonAncestor) {
::InvalidateAllFrames(commonAncestor);
}
}
diff --git a/dom/html/crashtests/1350972.html b/dom/html/crashtests/1350972.html
new file mode 100644
index 000000000..7af7f9e17
--- /dev/null
+++ b/dom/html/crashtests/1350972.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+ try { o1 = document.createElement('tr'); } catch(e) {};
+ try { o2 = document.createElement('div'); } catch(e) {};
+ try { o3 = document.createElement('hr'); } catch(e) {};
+ try { o4 = document.createElement('textarea'); } catch(e) {};
+ try { o5 = document.getSelection(); } catch(e) {};
+ try { o6 = document.createRange(); } catch(e) {};
+ try { document.documentElement.appendChild(o2); } catch(e) {};
+ try { document.documentElement.appendChild(o3); } catch(e) {};
+ try { o2.appendChild(o4); } catch(e) {};
+ try { o3.outerHTML = "<noscript contenteditable='true'>"; } catch(e) {};
+ try { o4.select(); } catch(e) {};
+ try { o5.addRange(o6); } catch(e) {};
+ try { document.documentElement.appendChild(o1); } catch(e) {};
+ try { o5.selectAllChildren(o1); } catch(e) {};
+ try { o6.selectNode(o1); } catch(e) {};
+</script>
+</head>
+</html> \ No newline at end of file
diff --git a/dom/html/crashtests/crashtests.list b/dom/html/crashtests/crashtests.list
index e55a0a350..a2068ea4e 100644
--- a/dom/html/crashtests/crashtests.list
+++ b/dom/html/crashtests/crashtests.list
@@ -78,4 +78,5 @@ load 1237633.html
load 1281972-1.html
load 1282894.html
load 1290904.html
+asserts(0-3) load 1350972.html
load 1386905.html