summaryrefslogtreecommitdiffstats
path: root/dom
diff options
context:
space:
mode:
authorjanekptacijarabaci <janekptacijarabaci@seznam.cz>2018-04-13 20:57:00 +0200
committerjanekptacijarabaci <janekptacijarabaci@seznam.cz>2018-04-13 20:57:00 +0200
commit84e449502f51e192d337eb793946d5b03f4c6460 (patch)
treefef676db7fef06f09032e64e74ac04c5ead481e3 /dom
parent314016db7f55d24ad9d23197ca56462e78bc9ecc (diff)
downloadUXP-84e449502f51e192d337eb793946d5b03f4c6460.tar
UXP-84e449502f51e192d337eb793946d5b03f4c6460.tar.gz
UXP-84e449502f51e192d337eb793946d5b03f4c6460.tar.lz
UXP-84e449502f51e192d337eb793946d5b03f4c6460.tar.xz
UXP-84e449502f51e192d337eb793946d5b03f4c6460.zip
moebius#76: JS - DOM - Selection API - crashes
https://github.com/MoonchildProductions/moebius/pull/76
Diffstat (limited to 'dom')
-rw-r--r--dom/base/nsRange.cpp2
-rw-r--r--dom/html/crashtests/1350972.html22
-rw-r--r--dom/html/crashtests/crashtests.list1
3 files changed, 24 insertions, 1 deletions
diff --git a/dom/base/nsRange.cpp b/dom/base/nsRange.cpp
index 37ba147af..4b4ce7885 100644
--- a/dom/base/nsRange.cpp
+++ b/dom/base/nsRange.cpp
@@ -3194,7 +3194,7 @@ nsRange::AutoInvalidateSelection::~AutoInvalidateSelection()
mIsNested = false;
::InvalidateAllFrames(mCommonAncestor);
nsINode* commonAncestor = mRange->GetRegisteredCommonAncestor();
- if (commonAncestor != mCommonAncestor) {
+ if (commonAncestor && commonAncestor != mCommonAncestor) {
::InvalidateAllFrames(commonAncestor);
}
}
diff --git a/dom/html/crashtests/1350972.html b/dom/html/crashtests/1350972.html
new file mode 100644
index 000000000..7af7f9e17
--- /dev/null
+++ b/dom/html/crashtests/1350972.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+ try { o1 = document.createElement('tr'); } catch(e) {};
+ try { o2 = document.createElement('div'); } catch(e) {};
+ try { o3 = document.createElement('hr'); } catch(e) {};
+ try { o4 = document.createElement('textarea'); } catch(e) {};
+ try { o5 = document.getSelection(); } catch(e) {};
+ try { o6 = document.createRange(); } catch(e) {};
+ try { document.documentElement.appendChild(o2); } catch(e) {};
+ try { document.documentElement.appendChild(o3); } catch(e) {};
+ try { o2.appendChild(o4); } catch(e) {};
+ try { o3.outerHTML = "<noscript contenteditable='true'>"; } catch(e) {};
+ try { o4.select(); } catch(e) {};
+ try { o5.addRange(o6); } catch(e) {};
+ try { document.documentElement.appendChild(o1); } catch(e) {};
+ try { o5.selectAllChildren(o1); } catch(e) {};
+ try { o6.selectNode(o1); } catch(e) {};
+</script>
+</head>
+</html> \ No newline at end of file
diff --git a/dom/html/crashtests/crashtests.list b/dom/html/crashtests/crashtests.list
index e55a0a350..a2068ea4e 100644
--- a/dom/html/crashtests/crashtests.list
+++ b/dom/html/crashtests/crashtests.list
@@ -78,4 +78,5 @@ load 1237633.html
load 1281972-1.html
load 1282894.html
load 1290904.html
+asserts(0-3) load 1350972.html
load 1386905.html