summaryrefslogtreecommitdiffstats
path: root/dom/html
diff options
context:
space:
mode:
Diffstat (limited to 'dom/html')
-rw-r--r--dom/html/crashtests/1350972.html22
-rw-r--r--dom/html/crashtests/crashtests.list1
-rw-r--r--dom/html/nsHTMLDocument.cpp12
3 files changed, 35 insertions, 0 deletions
diff --git a/dom/html/crashtests/1350972.html b/dom/html/crashtests/1350972.html
new file mode 100644
index 000000000..7af7f9e17
--- /dev/null
+++ b/dom/html/crashtests/1350972.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+ try { o1 = document.createElement('tr'); } catch(e) {};
+ try { o2 = document.createElement('div'); } catch(e) {};
+ try { o3 = document.createElement('hr'); } catch(e) {};
+ try { o4 = document.createElement('textarea'); } catch(e) {};
+ try { o5 = document.getSelection(); } catch(e) {};
+ try { o6 = document.createRange(); } catch(e) {};
+ try { document.documentElement.appendChild(o2); } catch(e) {};
+ try { document.documentElement.appendChild(o3); } catch(e) {};
+ try { o2.appendChild(o4); } catch(e) {};
+ try { o3.outerHTML = "<noscript contenteditable='true'>"; } catch(e) {};
+ try { o4.select(); } catch(e) {};
+ try { o5.addRange(o6); } catch(e) {};
+ try { document.documentElement.appendChild(o1); } catch(e) {};
+ try { o5.selectAllChildren(o1); } catch(e) {};
+ try { o6.selectNode(o1); } catch(e) {};
+</script>
+</head>
+</html> \ No newline at end of file
diff --git a/dom/html/crashtests/crashtests.list b/dom/html/crashtests/crashtests.list
index e55a0a350..a2068ea4e 100644
--- a/dom/html/crashtests/crashtests.list
+++ b/dom/html/crashtests/crashtests.list
@@ -78,4 +78,5 @@ load 1237633.html
load 1281972-1.html
load 1282894.html
load 1290904.html
+asserts(0-3) load 1350972.html
load 1386905.html
diff --git a/dom/html/nsHTMLDocument.cpp b/dom/html/nsHTMLDocument.cpp
index fea78dc37..be5a34d41 100644
--- a/dom/html/nsHTMLDocument.cpp
+++ b/dom/html/nsHTMLDocument.cpp
@@ -1536,6 +1536,18 @@ nsHTMLDocument::Open(JSContext* cx,
nsCOMPtr<nsIDocument> ret = this;
return ret.forget();
}
+
+ // Now double-check that our invariants still hold.
+ if (!mScriptGlobalObject) {
+ nsCOMPtr<nsIDocument> ret = this;
+ return ret.forget();
+ }
+
+ nsPIDOMWindowOuter* outer = GetWindow();
+ if (!outer || (GetInnerWindow() != outer->GetCurrentInnerWindow())) {
+ nsCOMPtr<nsIDocument> ret = this;
+ return ret.forget();
+ }
}
nsCOMPtr<nsIWebNavigation> webnav(do_QueryInterface(shell));