diff options
Diffstat (limited to 'dom/html')
| -rw-r--r-- | dom/html/crashtests/1350972.html | 22 | ||||
| -rw-r--r-- | dom/html/crashtests/crashtests.list | 1 | ||||
| -rw-r--r-- | dom/html/nsHTMLDocument.cpp | 12 |
3 files changed, 35 insertions, 0 deletions
diff --git a/dom/html/crashtests/1350972.html b/dom/html/crashtests/1350972.html new file mode 100644 index 000000000..7af7f9e17 --- /dev/null +++ b/dom/html/crashtests/1350972.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<html> +<head> +<script> + try { o1 = document.createElement('tr'); } catch(e) {}; + try { o2 = document.createElement('div'); } catch(e) {}; + try { o3 = document.createElement('hr'); } catch(e) {}; + try { o4 = document.createElement('textarea'); } catch(e) {}; + try { o5 = document.getSelection(); } catch(e) {}; + try { o6 = document.createRange(); } catch(e) {}; + try { document.documentElement.appendChild(o2); } catch(e) {}; + try { document.documentElement.appendChild(o3); } catch(e) {}; + try { o2.appendChild(o4); } catch(e) {}; + try { o3.outerHTML = "<noscript contenteditable='true'>"; } catch(e) {}; + try { o4.select(); } catch(e) {}; + try { o5.addRange(o6); } catch(e) {}; + try { document.documentElement.appendChild(o1); } catch(e) {}; + try { o5.selectAllChildren(o1); } catch(e) {}; + try { o6.selectNode(o1); } catch(e) {}; +</script> +</head> +</html>
\ No newline at end of file diff --git a/dom/html/crashtests/crashtests.list b/dom/html/crashtests/crashtests.list index e55a0a350..a2068ea4e 100644 --- a/dom/html/crashtests/crashtests.list +++ b/dom/html/crashtests/crashtests.list @@ -78,4 +78,5 @@ load 1237633.html load 1281972-1.html load 1282894.html load 1290904.html +asserts(0-3) load 1350972.html load 1386905.html diff --git a/dom/html/nsHTMLDocument.cpp b/dom/html/nsHTMLDocument.cpp index fea78dc37..be5a34d41 100644 --- a/dom/html/nsHTMLDocument.cpp +++ b/dom/html/nsHTMLDocument.cpp @@ -1536,6 +1536,18 @@ nsHTMLDocument::Open(JSContext* cx, nsCOMPtr<nsIDocument> ret = this; return ret.forget(); } + + // Now double-check that our invariants still hold. + if (!mScriptGlobalObject) { + nsCOMPtr<nsIDocument> ret = this; + return ret.forget(); + } + + nsPIDOMWindowOuter* outer = GetWindow(); + if (!outer || (GetInnerWindow() != outer->GetCurrentInnerWindow())) { + nsCOMPtr<nsIDocument> ret = this; + return ret.forget(); + } } nsCOMPtr<nsIWebNavigation> webnav(do_QueryInterface(shell)); |